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Preface 


ASIACRYPT 2003 was held in Taipei, Taiwan, from Nov. 30 to Dec. 4, 2003. 
The 9th Annual ASIACRYPT conference was sponsored by the International 
Association for Cryptologic Research (IACR), this year in cooperation with the 
Chinese Cryptology and Information Security Association (CCISA) and National 
Cheng Rung University (NCKU) in Taiwan. 

One hundred and eighty-eight papers from 26 countries were submitted to 
ASIACRYPT 2003 and 33 (of which one paper was withdrawn by the authors 
after notification) of these were selected for presentation. These proceedings con- 
tain revised versions of the accepted papers. We had an IACR 2003 Distinguished 
Lecture, by Dr. Don Coppersmith, entitled “Solving Low Degree Polynomials.” 
In addition, two invited talks were given at the conference. One was given by Dr. 
Adi Shamir. The other one was given by Dr. Hong-Sen Yan, entitled “The Secret 
and Beauty of Ancient Chinese Locks.” The conference program also included a 
rump session, chaired by Tzong Chen Wu, which featured short informal talks 
on recent results. 

It was a pleasure for me to work with the program committee, which was 
composed of 27 members from 17 countries; I thank them for working very hard 
over several months. As a matter of fact, the review process was a challenging and 
time-consuming task, and it lasted about 8 weeks, followed by more than half a 
month for discussions among the program committee members. All submissions 
were anonymously reviewed by at least 3 members in the relevant areas of the 
program committee; in some cases, particularly for those papers submitted by a 
member of the program committee, they were reviewed by at least six members. 
We are grateful to all the program committee members who put in a lot of effort 
and precious time giving their expert analysis and comments on the submissions. 
In addition, we really appreciate the external referees who contributed with their 
expertise to the reviewing process; without their help, the selection process would 
not have gone so smoothly. 

All paper submissions to ASIACRYPT 2003 were received electronically 
using the Web-based submission software, which was provided by Chanathip 
Namprempre. The review software was kindly provided by Bart Preneel, Wim 
Moreau, and Joris Claessens. I would like to thank Chien-Pang Kuo for his help 
with the installation and with solving problems we had with the software. I am 
also very grateful to Yi-Zhen Lin for her great help in handling ASIACRYPT 
2003 affairs. 

Special thanks to Yuliang Zheng, who acted as an advisory member of the 
committee and provided advice based on his previous experience. I would also 
like to thank the chair of IACR, Andy Clark, who gave me valuable advice on 
all kinds of problems. 

For financial support of the conference, we are very grateful to this year’s 
sponsors, including the National Science Council, the Ministry of Education, the 
Directorate-General of Telecommunications, R.O.C., Chunghwa Telecom Co., 
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Preface 


Ltd., the Institute for Information Industry, Computer & Communications Re- 
search Labs, ITRI, etc. 

Finally, we would like to thank all other people who provided any assistance, 
and all the authors who submitted their papers to ASIACRYPT 2003, as well 
as all the participants from all over the world. 

September 2003 Chi Sung Laih 
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Chosen- Ciphertext Security 
without Redundancy 


Duong Hieu Phan and David Pointcheval 

Ecole normale superieure - Dept d’informatique 
45 rue d’Ulm, 75230 Paris Cedex 05, Prance 
{duong . hieu . phan , david . pointcheval} Sens . f r 


Abstract. We propose asymmetric encryption schemes for which all ci- 
phertexts are valid (which means here “reachable” : the encryption func- 
tion is not only a probabilistic injection, but also a surjection). We thus 
introduce the Full-Domain Permutation encryption scheme which uses 
a random permutation. This is the first IND-CCA cryptosystem based 
on any trapdoor one-way permutation without redundancy, and more 
interestingly, the bandwidth is optimal: the ciphertext is over k more 
bits only than the plaintext, where 2~ k is the expected security level. 
Thereafter, we apply it into the random oracle model by instantiating 
the random permutation with a Feistel network construction, and thus 
using OAEP. Unfortunately, the usual 2-round OAEP does not seem to 
be provably secure, but a 3-round can be proved IND-CCA even without 
the usual redundancy m||0 fcl , under the partial-domain one-wayness of 
any trapdoor permutation. Although the bandwidth is not as good as in 
the random permutation model, absence of redundancy is quite new and 
interesting: many implementation risks are ruled out. 


1 Introduction 

By now, the widely admitted appropriate security level for asymmetric encryp- 
tion is the so-called chosen-ciphertext security (IND-CCA): that is actually the 
semantic security [16] against adaptive chosen-ciphertext attacks [21]. For achiev- 
ing semantic security, even in the basic chosen-plaintext scenario, the encryption 
algorithm must be probabilistic, which means that a given plaintext (with a fixed 
public key) should be possibly encrypted in many different ways (at least 2 fc dif- 
ferent ciphertexts if 2~ k is the expected security level). This naturally implies an 
expansion: the ciphertext is at least over k more bits than the plaintext. OAEP 
achieves the optimal bound if one considers IND-CPA only, but fails when con- 
sidering IND-CCA [5,15]. 

The general idea for designing cryptosystems which are secure in the sense 
of chosen-ciphertext security is indeed to make the decryption oracle useless 
by making the creation of new “valid” ciphertexts (which are not produced by 
actually encrypting some known plaintexts) impossible. The general approach 
is thus to add some redundancy either to the plaintext before encrypting [5] or 
in a tag appended to the ciphertext [4, 18] . The former method can be named 

C.S. Laih (Ed.): ASIACRYPT 2003, LNCS 2894, pp. 1-18, 2003. 

© International Association for Cryptologic Research 2003 
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“encode-then-encrypt” , with a randomized bijective encoding (padding), and a 
trapdoor injective one-way function as encryption [5,23,8]. The latter is more 
like a key-encapsulation technique combined with a MAC of the plaintext, the 
ciphertext and/or the ephemeral key [10, 1, 18]. 

For symmetric encryption schemes, Desai [11] avoids the overhead due to the 
MAC or redundancy by using variable-length input PRF, variable-length output 
PRF (unbalanced Feistel paradigm) or variable-length input super-PRF (encode- 
then-encipher). The proposed schemes are chosen-ciphertext secure, without re- 
dundancy and the ciphertext expansion is smaller than for any other provably 
secure scheme. 

In the present paper, inspired by this idea (encode-then-encipher) , we con- 
sider the case of asymmetric encryption, by using a public random permutation 
which is clearly a bijective encoding, and this leads to the first IND-CCA scheme 
without any redundancy. More interestingly, the bandwidth of this scheme is 
optimal. 

On the other hand, the security proof holds in the strong and ideal “random 
permutation model”. Such a scheme in a weaker model (the random oracle model 
or the standard model) would be better. The second part of this paper is devoted 
to this goal. We use the construction of OAEP but with 3 rounds, instead of 
2, and we can prove that such a scheme is IND-CCA and all the ciphertexts are 
reachable by the encryption algorithm, and are thus valid (or almost all in the 
most general case). 

The rest of the paper is organized as follows: We first briefly recall the security 
notions for asymmetric encryption; then we present the FDH encryption and 
we prove that it is IND-CCA secure with any trapdoor one-way permutation. 
Finally we consider the random oracle model, in which we propose a 3-round 
OAEP for which (almost) any ciphertext is valid (i.e., reachable) and we show 
that it achieves IND-CCA under the partial-domain one-wayness of any trapdoor 
permutation [15]. 

2 Public Key Encryption 

The aim of a public-key encryption scheme is to allow anybody who knows the 
public key of Alice to send her a message that she will be the only one able to 
recover, thanks to her private key. 

2.1 Definitions 

A public-key encryption scheme 7r is defined by the three following algorithms: 

— The key generation algorithm Q. On input l fe , where k is the security param- 
eter, the algorithm Q produces a pair (pk, sk) of matching public and private 
keys. 

— The encryption algorithm £. Given a message to and a public key pk, £ pk ( to) 
produces a ciphertext c of to. This algorithm may be probabilistic (involving 
random coins r GlZ, and then denoted £ p k(m; r).) 

— The decryption algorithm D. Given a ciphertext c and the secret key sk, 
X> s k(c) gives back the plaintext to. 
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2.2 Security Notions 


The widely admitted security notion for encryption schemes is the so-called 
semantic security [16] (a.k.a. polynomial security /indistinguishability of encryp- 
tions): if the attacker has some a priori information about the plaintext, the 
view of the ciphertext should not increase this information. This security notion 
requires the computational impossibility to distinguish between two messages, 
chosen by the adversary itself, which one has been encrypted, with a probabil- 
ity significantly better than one half: its advantage Adv!T d (.A), as defined below 
where the adversary A is seen as a 2-stage Turing machine (T-, , T 2 ], should be 
negligible. 


Adv^M) =2 


Pr [ (pk,sk) £/(l fc ); (m 0 ,rni,s) <- Ai(pk)l _ % 
b,r [c = £pk(m6; r) : A 2 (mo, mi, s,c) = b J 


Another notion has been thereafter defined, the so-called non-malleability [12], 
but this notion is equivalent to the above one in some specific scenarios [7]. 
Moreover, it is equivalent to the semantic security [3] in the most interesting 
scenarios, described below. 

Indeed, an attacker can play many kinds of attacks: it may just have access 
to public data, and then encrypt any plaintext of its choice ( chosen-plaintext 
attacks), or have access to extra information, modeled by various oracles. In this 
model, the strongest oracle is definitely the decryption algorithm, which can 
be queried on any ciphertext, except the challenge ciphertext ( adaptive/non - 
adaptive chosen-ciphertext attacks [17,21]). 

A general study of these security notions and attacks has been driven in [3] , 
we therefore refer the reader to this paper for more details. Actually, one conclu- 
sion is that the strongest security level is the so-called chosen-ciphertext security, 
which is the semantic security (IND) under adaptive chosen-ciphertext attacks 
(CCA), hence the notation IND-CCA, also known as IND-CCA2, to be compared 
to IND-CCA1, which captures lunchtime attacks [17] only. 


2.3 Secure Designs 

The expected security level is thus IND-CCA, which is now required to be prov- 
ably achieved before any practical use. The last ten years have seen several 
practical proposals which provide this strong security level. The first, and most 
famous one, is definitely OAEP [5] , a generic conversion proposed by Bellare and 
Rogaway, which applies to any trapdoor partial-domain one-way permutation, 
such as RSA, in the random oracle model [15]. Some variants have been recently 
proposed, which either apply to particular cases (SAEP, SAEP+ [8]) or more 
general ones (OAEP+ [23]). But they all add some redundancy in the plaintext 
before encrypting it: a ciphertext that is not properly generated, without know- 
ing the plaintext, is valid with negligible probability only. The latter property 
had been formally defined by the plaintext- awareness notion [5,3]. Granted it, 
a decryption oracle does not provide any information. 
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Some other paddings have also been proposed to apply to more general fami- 
lies of functions, which are not necessarily one-to-one: Fujisaki and Okamoto [13, 
14], Pointcheval [20] and Okamoto and Pointcheval [18]. Once again, chosen- 
ciphertext security is achieved granted redundancy, but in the ciphertext: only 
properly generated ciphertexts (with some known plaintexts) have a chance to 
be valid: plaintext-awareness. 

3 FDP: Full-Domain Permutation Encryption 

In the same vein as the Full-Domain Hash signature [6,9], we suggest the Full- 
Domain Permutation encryption, in which one applies a random permutation 
to the message (and the random coins) before encrypting it with the trapdoor 
one-way permutation. We therefore obtain the first cryptosystem which achieves 
chosen-ciphertext security, without redundancy: any ciphertext is valid, and the 
bandwidth is optimal. 

3.1 Description 

The FDP-encryption is quite simple, since it uses a random permutation V 
(which is a bijective random oracle, or an ideal-cipher with a particular key, 
say 0. See also [22]). The key generation algorithm selects a trapdoor one-way 
permutation ip p k (and its inverse V’sk, granted the trapdoor sk) over {0, \} k+f \ and 
a random permutation V over the same space — (0, l} e x {0, \} k is identified to 
{0, 1 } t+k . The public key pk thus defines the permutation <^ pk , while the private 
key sk defines the inverse ip s k of ^ pk . Then, 

£ pk (rn;r) = ip pk (V(m,r)) D sk (c) = m, where (m,r) = V~ x (ip s k(c )) . 

The space of the plaintexts is {0, l} e , while the space of the random coins r is 
(0, l} k . Note that both V and V~ [ are public permutations. 

Note that usual trapdoor one-way permutations are not on a binary set, as it 
will be discussed in a more extensive way in the following. Anyway, just doubling 
the computational cost, on average, one easily gets such a particular case from 
any permutation over an interval: [2] suggested an iterated version. 

3.2 Security Result 

As already said, the first advantage of this scheme is that any ciphertext is valid: 
any ciphertext can be decrypted into a plaintext, furthermore any ciphertext can 
also be reached by the encryption algorithm. The second important advantage 
comes from the security result given below: it provides chosen-ciphertext secu- 
rity under the intractability of inverting ip, with a security level in 2 fc , with an 
overhead of k bits (the random coins). This means that the bandwidth is opti- 
mal: contrary to OAEP or OAEP+ which need an overhead of at least 2 k bits 
(the random coins and the redundancy), for a similar security level. Of course, 
this remark only applies to the most general case where £ > k (e.g., k = 80 and 
k + £= 1024.) 
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Theorem 1. Let A be any chosen-ciphertext adversary against ip-FDP, within 
time t. After q p and qd queries to the permutation oracles and the decryption 
oracle respectively, 


i< nd - cca (.4) < 2 xSucc° w (t+2 9p xT v ) + 2 x ^ 


(%> + $# l ) 2 Qp 

t + 2 k 


(Q d + V 2 \ 
2 f ) 


where T v is the time complexity for evaluating ip. 

Let us briefly recall that for any algorithm A, 

Succ° w (.A) = Pr [A(<p p k(x)) = %], and Succ° w (r) = max {Succ° w (.A)} . 


3.3 Sketch of the Proof 

The goal of the proof is to simulate the oracles V, V~ x , and X> s k in such a way 
that the adversary can not distinguish the simulations from the real oracles. In 
the simulation, the decryption answer for a ciphertext that has not been obtained 
before is a new random value (and independent with others). We then have to 
keep the simulation of the random permutation consistent. On the other hand, 
the challenge is made independent with the plaintexts mo and mi : the adversary 
has no advantage. 

The proof follows by successively modifying the rules involved in the (perfect) 
simulation where the oracles V and V~ x are first simulated by using a perfectly 
random permutation P and its inverse P -1 . The last game provides a simulation 
of X> S k, without inverting 

Anyway, the simulation remains almost perfect unless the adversary asks the 
pre- image via ip v k of the challenge ciphertext to the random permutation P -1 : 
it thus helps to invert ip. The complete proof can be found in the full version of 
this paper [19]. 


4 The Random Oracle Model and OAEP 

The above result is not so surprising, but the optimal bandwidth is a very good 
news. However the proof requires a full-domain random permutation, which is 
hard to find: practical block-ciphers have smaller block sizes. In this section, we 
present an instantiation of this random permutation, in the random oracle model 
only. The counter-part will be the need of a stronger assumption about the trap- 
door one-way permutation: with a 3-round OAEP, a trapdoor partial-domain 
one-way permutation leads to an IND-CCA cryptosystem, without redundancy. 

4.1 The 2- Round OAEP Case 

Before studying the 3-round OAEP, let us first consider the more classical 2- 
round OAEP which can be described as follows: we use two hash functions Q and 
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'H before encrypting with a trapdoor one-way permutation (p p u.. More precisely, 
for encrypting a message m, one randomly chooses r, and computes s and t: 

s = m®Q{r) t = r®U{s). 

Then, the ciphertext is c = <^ p k(s,f). For decryption, one computes 
(s,t) = ip s k(c) r = t®H(s) m = s®G(r). 

The usual way to prove the security of a scheme is to exploit an adversary 
to break the assumption (for instance, the partial-domain one-wayness of the 
permutation <p p y). For that, we must simulate all the resources that the attacker 
can access, namely, the oracles G, T~L but also the decryption oracle D s ^. For 
the above 2-round OAEP, the decryption oracle does not seem simulatable. The 
following attack game uses the same arguments as the counter-example shown by 
Shoup against the original OAEP security result [23] . Let us consider an attacker 
who chooses s, s' and calls for H to get respectively h = 'H(s) and h! = His'). 
Then it chooses t and computes c = <p p k(s,t). If it asks c to X> S k, it gets the 
corresponding plaintext m. Then, it computes t' = t®h®h' and d = ip p k(s',t'). 
If it asks d to X> s k, it gets the corresponding plaintext m! . One can easily see 
that, since d = r, the relation m®m = s® s’ should hold. But if the simulator 
can not detect that d = r, it can not output a consistent value for m! . 

Unfortunately, we did not find any easy way to make a consistent simulation 
for the 2-round OAEP. But a 3-round is more promising. 

4.2 Description of the 3-Round OAEP 

The public key is any trapdoor (partial-domain) one-way bijection <p p k from a set 
E to a set F, while the private key is the inverse 'tpsk- For the sake of generality, 
we do not stick to binary sets (of the form {0, 1}*): we just assume that there is 
an integer k such that: 

{0}* x {0, l} k+e C E C {0, l}* +fc+<! (identified to {0, 1}* x {0, l} k x {0, 1}^). 

However, note that in the case that E ^ 0*||{0, lj k+( we won’t get (as an- 
nounced) a surjective encryption. But contrary to all the previous IND-CCA 
schemes, the proportion of valid ciphertexts (i.e., which are reachable) is greater 
than 1/2*, which is not negligible: for efficient applications with RSA, it can be 
equal to 1/2, or even 1 (by loosing a factor 2 in efficiency, one can get k = 0, 
with the iterated-RSA [2]). 

The encryption and decryption algorithms use three hash functions: T,G,'H 
(assumed to behave like random oracles in the security analysis): 

T : {0, 1}* {0, l} e G : {0,1}^ {0,l} fc H : {0, l} fc+ * {0, l} 1 . 

Encryption Algorithm: The space of the plaintexts is M = {0, l} e , the en- 
cryption algorithm uses random coins in 7 Z = {0, l} fc , and outputs a ciphertext 
c into F: on a plaintext m € M, and a random r € 1Z, one computes 

s = m®J 7 (r) t = r®G(s) 11 = 3 0 7/(0*114) c = <^ p k(0*,f, u). 
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Decryption Algorithm: On a ciphertext c, one first computes ( B , t, it) = 
<Ask(c), where B € {0, 1} K , t G {0, l} k , u G {0, 1 Y and then 

s = u®H(B\\t) r = t®g{s) m = s@E(r). 


4.3 Security Result 

About the 3-round OAEP, one can claim the following security result, which 
states that the IND-CCA security level is achieved under the (set) partial-domain 
one-wayness of the trapdoor permutation [15]. 

Theorem 2. Let A be any chosen-ciphertext adversary against the 3-round 
OAEP construction with the trapdoor permutation family <p, within time r. After 
Qf> Qgi Qh and qa queries to the random oracles T, Q and B, and the decryption 
oracle respectively, 

Adv; nd - cca (r) < 2« x Succ s ; pd -° w (r + q g ■ q h x T v + q d ■ T lu , q h ) 

9/ | Qg | OK w ( Qd{2q g + Qd) 9d(3g/ + 2 q d ) 

2 e \ 2 e 2 fe 

where T v is the time complexity for evaluating ip, and Ti u is the time complexity 
for a look up in a list. 

Let us recall the definition of the (set) partial-domain one-wayness in our partic- 
ular case, where A is any algorithm which outputs a subset of {0, 1}* of size q: 

Su < pd -° w (A, q) = Pr [t G A(q> pk (B, L u))] 
and Succ pw (r, q) = max {Succ^ pd ' ow (A, g)} , 
is small for any reasonable time bound r. 


4.4 Sketch of the Proof 

The goal of the proof is again to simulate the oracles. For simulating the random 
oracles, we use lists as usual to store the known answers. We simulate the de- 
cryption oracle as follows: when we receive a query y, either the corresponding 
s and t have both been asked to Q and H, we can extract m, or one of them 
has not been asked, we can safely answer a random plaintext. However, such a 
plaintext-ciphertext relation implicitly defines several relations about the ran- 
dom oracles T, Q and H. We show that it is still possible to answer consistently. 
The challenge ciphertext also implicitly defines relations. We show that possible 
inconsistencies with the latter relations can not be detected by the adversary 
unless it has partially inverted the function </j p k on the challenge ciphertext. 

The proof is provided by a sequence of games, but for clarity reasons, we 
briefly explain only the distances between two consecutive games. The formal 
and full proofs are provided in the Appendix A. 
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Game Go: The adversary is fed with the public key pk, and outputs a 

pair of messages (mo, mi). Next a challenge ciphertext is produced by flipping 
a coin b and producing a ciphertext c* of to* = mb- This ciphertext comes from 
a random r* <— {0, l} fc and c* = £(mb,r *) = ip p k(0 K ,t,u). On input c*, A 2 
outputs bit b' in the time t. We denote by So the event b' = b and use the same 
notation S n in any game G n below. Note that the adversary is given access to 
the decryption oracle T > s k during both steps of the attack. The adversary can 
also ask the random oracles T . Q. and H. 

Game Gi: The simulation in this game is presented on the Figure 1. We 

simulate the way that the challenge c* is generated as the challenger would do, 
and we simulate the random oracles T , Q, and H, as well as the decryption 
oracle V sk , by maintaining lists T"-List, £/- List, List and D-List to deal with 
identical queries, since they all are deterministic. Since the simulation is perfect, 
we directly derive that 

Pr[S!]=Pr[So]. (1) 

Game G 2 : We manufacture the challenge c* independently of anything else. 

►Rule ChaK 2 ) 

| Choose randomly ahead of time c + F and set c* = c + . 

Lemma 3. Let us note (B + ,t + ,u + ) the pre-image of the challenge c + . We de- 
note by AskH 2 the event that B + \\t + has been asked to H. Then, 

Pr[S t ].<i + |( + |+-^xPr[AskH 2 ]. (2) 

Proof (Full proof in the Appendix A.l ). The main idea in simulating this game 

is that we make the components of the challenge c* (namely r*, /*, «*, g*, t*, 
h*, u* and c*) independent to to*. We can do this by choosing ahead of time 
random values for r*, s*, and f*, and we can see that a difference occurs when 
one of these values is asked to the corresponding oracle. On the other hand, 
when the challenge is independent to to*, the attacker has only the chance of 
one half to guess the bit b. □ 

Game G 3 : In this game, we modify the simulation of the decryption oracle, 
by outputting a random message when the ciphertext has not been “correctly” 
encrypted. We thereafter define in a consistent way the values of the random 
oracles: 

► Rule Decrypt-TnoS^ 

Choose to {0, 1 Y and g {0, l} fc , 

then define r = t ® g and / = to ® s. 

Add (r, /) in .F-List, and (s,g) in t/-List. 

►Rule Decrypt-noT'b 

Choose to {0, 1} £ , h {0, l} e and g {0, l} fe , 
then define s = u® h, r = t® g and / = to ® s. 

Add (r, /) in .F-List, (s,g) in t?-List, and ( B,t,h ) in %-List. 
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6 

s 

§ 

K 

Query T(r)\ if a record (r, /) appears in .F-List, the answer is /. 

Otherwise the answer / is chosen randomly: / £ {0, 1}*’ and the record (r, /) 

Query Q{s): if a record (s,g) appears in 5-List, the answer is g. 

Otherwise the answer g is chosen randomly: g £ {0, 1}^ and the record ( s,g ) 
is added in 5-List. 

► Rule EvalGAdd (1) 

| Do nothing 

Query 'H.(BWt): if a record ( B,t,h ) appears in 7d-List, the answer is h. 

Otherwise the answer h is chosen randomly: h £ {0, l} fc and the record ( B , t, h) 
is added in 7d-List. 

1 

6 

ft 

Query D s k (c): if a record (m, c) appears in D-List, the answer is m. 

Otherwise the answer m is defined according to the following rules: 

► Rule Decrypt-lnit (1) 

| Compute ( B , t, u) = V’sk(c); 

Look up for ( B,t,h ) £ 7d-List: 

— if the record is found, compute s = u © h. 

Look up for ( s,g ) £ 5-List: 

• if the record is found 

► Rule Decrypt-TS 

h = H{B\\t), 
s = u®h, g = G{s), 
r = t®g, f = T{r), 

• otherwise 

► Rule Decrypt-T noS-'^ 

| same as rule Decrypt-TS - 1 * . 

— otherwise 

► Rule Decrypt-noT^ 1 ) 

| same as rule Decrypt-TS^. 

Answer m and add (m,c) to D-List. 



For two messages (mo, mi), flip a coin b and set m 

•* = mb, choose randomly 

1 

r* , then answer c*, where 


| 

► Rule Chal (1) 


6 


f*=Hr *), s* = m*® /*, 
g* = G(s*), t* =r* ® g*, 
h* =H(0 K \\t*), u*=s*®h*. 

Compute c* = y> p k(0 K , t* , u*). 



Fig. 1. Formal Simulation of the IND-CCA Game against 3-OAEP. 
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Lemma 4. 


| Pr[AskH 3 ] - Pr[AskH 2 ] [ < Qd + q ^ + 2 9d ^ . (3) 

Proof (Full proof in the Appendix A. 2). In the proof, one successively modifies 
the simulation of the decryption oracle, just changing the order of elements to 
be randomly chosen, so that the decryption of a ciphertext which has not been 
correctly encrypted is a truly random plaintext. □ 

Game G 4 : In this game, we delay the explicit definitions of some oracle 

answers implicitly defined by some plaintext-ciphertext relations: we do not in- 
troduce them during the simulation of the decryption oracle, but when s is asked 
to Q. Some problems may appear if the implicitly defined answers are asked be- 
fore Q(s) is queried. 

► Rule Decrypt-TnoS^ 

| Choose m -e- {0, 1 } e . 

► Rule Decrypt- noT^ 4 ) 

| Choose m {0, 1 } e . 

►Rule EvalGAddW 

Look up for ( B,t,h ) £ TO List and (m, c) £ "D-List such that 
c = <p p k(B,t, h ® s). 

If the record is found, we compute r = t®g and / = m ® s, and 
finally add (r, /) in .F-List. 

Lemma 5. 

| Pr[AskH 4 ] - Pr[AskH 3 ] | < (4) 

Proof (Full proof in the Appendix A. 3). Since we don’t store anymore (r, /), 
(s,g), ( B,t,h ), inconsistencies could occur when B\\t, s or r are asked. For 
solving this problem, we modify the rule EvalGAdd by defining in a consistent 
way tF(r) at the moment that s is asked to Q. But there is still a problem if r is 
asked before G(.s) is queried, or if s is asked before 'H(B\\t) is queried. □ 

Game G 5 : We now complete the simulation of the oracle P> s y- We don’t ask 
any query to V’sk- Intuitively, if both B\\t and s have been asked, we can easily 
find them, and then m. Otherwise, we give a random answer as in the game G 4 . 

► Rule Decrypt-lnit^ 

Look up for ( B,t,h ) £ %-List and ( s,g ) £ <?-List such that 
<p p k(B,t, s®h)=c, 

- if the record is found, we furthermore define u = s ® h. 

— otherwise, we take B =JL f t = -L,u = _L. 
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►Rule Decrypt-TS (5) 

| r = t@g, f = E(r), m = s®f. 

The two games G5 and G4 are perfectly indistinguishable. In fact, in the first 
case, nothing is modified and in the second case, by making B = L, /. = I , u = ffe, 
the answer of the decryption oracle for the question c will be a random to as in 
the game G4: 

Pr[AskH 5 ] =Pr[AskH 4 ]. (5) 

Simply outputting the list of queries to % during this game, one gets: 

Pr[AskH 5 ] < Succ^ pd ’ ow (r / , qh), (6) 

where t' is the running time of the simulation in this game: t' < q g ■ x 
T v + qa x Ti u . We can indeed perform the simulation granted an additional list 
QH- List which contains all the tuples ( B,t,h,s,g,y ) where ( B,t,h ) G Tf-List, 
(s, g) G f?-List and y = ip p k(B,t,s(Bh). This concludes the proof of the Theorem. 


4.5 Special Cases 

In the particular but classical case where k = 0 and k < t, one can claim 

Theorem 6. Let A be any chosen-ciphertext adversary against the 3-round 
OAEP construction with the trapdoor permutation family <p, within time r. After 
q a and qa queries to the random oracles and the decryption oracle respectively, 


Adv^ d cca (r) < Succ^ pd ow (r + ql x T v + q d x T tu , q a ) + 


2 q a + qd(5q 0 + 2 q d ) 
2 k 


where T v is the time complexity for evaluating (p, and Ti u is the time complexity 
for a look up in a list. 


5 Conclusion 

We have described the Full-Domain Permutation encryption which is IND-CCA 
without redundancy and provides an optimal bandwidth. In the random oracle 
model, we have shown that the absence redundancy can be obtained by consid- 
ering the 3-round OAEP construction. However, the bandwidth is not optimal, 
and the security relies on the strong partial-domain one-wayness assumption. 
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A Complements for the Proof of the Theorem 2 

A.l Proof of Lemma 3 


Game Gi.i: For proving this lemma, we present a more detailed sequence 

of games from the game Gi to the game G 1.2 • We first make the value of the 
random seed r* explicit and move its generation up-front. 

►Rule ChaK 11 ) 

The two values r + -e- (0, l} fc , /+ -e- {0, l} /: have been chosen 
ahead of time, then 

r* = r + , f* = /+, s* = to * MJ + , 9 * = </(»*), 
t* = r + ® g*, h* = H(0 K \\t*), u* = s*®h*. 

Compute c* = ip p k(0 K ,f*,w*). 

The two games Gn and Gi are perfectly indistinguishable unless r* has been 
asked for T . We define this event AskFi.i. We have: 

| Pr[Si.i] - Pr[Si] | < PrlAskFm]. (7) 

In this game, /+ is used in (s, t) but does not appear in the computation since 
.F(r + ) is not defined to be equal to f + . Thus, the input to A2 follows a distri- 
bution that does not depend on b. Accordingly: 

Pr[Si 4 ] = (8) 

Game G 1 . 2 : In this game, instead of defining s* from /* which is a random 
value /+, we randomly choose s* and then we define f + from s*. Because s* is 
chosen randomly, we give a random answer for the question s* to Q. 
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►Rule Chafi 12 ) 

The values r+ -e- {0, l} fc , s + -e- {0, l} e , g + -e- {0, l} k have been 
chosen ahead of time, then 

r* = r + s* = s+ g * = g + /* = s + ® m* 
t* = r + ® <? + h * = %(f*) u* = s+ © h*. 

Compute c* = <^ p k(0 K , t*, u*). 

The two games Gi . 2 and Gi.i are perfectly indistinguishable unless s* is asked 
for Q. We define this event AskGi.2- We have: 

| Pr[AskFi. 2 ] - Pr[AskFi.i] | < Pr[AskGi. 2 ]. (9) 

In this game, r + = t* 0 g + is uniformly distributed, and independently of the 
adversary’s view since g + is never revealed: 

Pr[AskF 12 ] = (10) 

Game G1.3: Similarly to the above game, instead of defining t* from a 

random g + , we randomly choose t* and then we define g + from t*. Because t* 
is chosen randomly, we give a random answer for the question (0 K ||f*) to H. 

►Rule ChaK 13 ) 

The values r+ £ {0, l} fc , s+ £ {0, l} e , t+ {0, l} fc , h+ £ 

{0,1}^ have been chosen ahead of time, then 

r* = r+ s* = s+ t* = t + h* = h + 
f* = s + © m* g * = t + Qr 4 u* = s + © h + . 

Compute c* = <^ p k(0 K , t* , u*). 

The two games G1.3 and Gi . 2 are perfectly indistinguishable unless 0 K ||f* is 
asked for H. We define this event AskFli.3. We have: 

| Pr[AskGi. 3 ] - Pr[AskGi. 2 ] | < Pr[AskH!.3]. (11) 

In this game, s + = u* © h + is uniformly distributed, and independently of the 
adversary’s view since h + is never revealed: 

PrlAskCr^l- 

Game G1.4: We manufacture the challenge c* independently of anything 

else. 

► Rule ChaK 14 ) 

The values t + {0, l} fc , u + {0, l} e have been chosen ahead 
of time. 

Compute c* = <p p k(0 K ,t + , w + ). 
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The distribution of c* remains the same: 

Pr[AskHi. 4 ] =Pr[AskHi. 3 ], (12) 


Game G 1 . 5 : We choose the challenge c* uniformly in the space F. 

►Rule ChalC^ 1 ' 5 ) 

The value c + F is chosen randomly ahead of time, then c* = 

I c+. 

We can write e + as ip p u.(B + , f+, h + ). We define AskHi. 5 the event that B + \\t + is 
asked to H. In the case B + = 0 K , which event is denoted by GoodB and which 
probability is at least 1/2 K , this game is identical to the previous one: 

Pr[AskHa. j = PrfAskFfyg A GoodB] + Pr[AskHi. 5 A ^GoodB] 

> Pr[AskH 15 | GoodB] • Pr[GoodB] > PrlAskFfy^ • ( 13 ) 

To conclude the proof of the lemma, one first notes that the games G1.5 
and G2 are identical, and thus PrfAskHi.s] = PrfAskFy. Then, combining all 
the above equations, on gets 

Pr[Si] < Pr[Si.i] + PrlAskFi.r] < i + PrlAskFi.^ 

< \ + PrIAskFj.a] + PrfAskGi.a] 

< * + Pr[AskF 12 ] + Pr[AskGi. 3 ] + 2 K • P^skH^] 

<2 + | + |+ 2K - Pr [ AskH 2]- 

A. 2 Proof of Lemma 4 

Game G 2 .i : First, we modify the rule Decrypt-noT by not calling anymore 

the oracles Q and H. Let us remind that the adversary asks a X>-query on c = 
(p p k(B,t,u) such that 'H(B\\t) has never been queried. 

►Rule Decrypt-noT^ 2 - 1 ) 

Choose h -e- { 0 , l} e and set s = u ® h. 

Choose g { 0 , 1 }* and set r = t © g. 

Compute / = 'F(r) and set m = s ® /. 

Add (s,g) in ffyList, ( B,t,h ) in %-List. 

The two games G 2.1 and G 2 are perfectly indistinguishable unless s is already 
in £/-List. Because B\\t has not been queried to H, h = 1 ~L{B\\t) is uniformly 



16 Duong Hieu Phan and David Pointcheval 


distributed and therefore, we can consider s as a uniform variable. So, the prob- 
ability that s has already been queried to Q is (q g + q d )/ 2, e : 

| Pr[AskH 2 . 1 ] - Pr[AskH 2 ] | < q d (q g + q d )/2 e . (14) 

Game G 2 . 2 : In this game, we modify again the rule Decrypt-noT f2 ' 2) by not 
querying the oracle A either: 

►Rule Decrypt-noT^ 2 - 2 ) 

Choose h -e- {0, 1} ( and set s = u ® h. 

Choose g {0, 1}* and set r = t © g. 

Choose / -e- {0, l} e and set m = s © /. 

Add (r,/) in A-List, {s,g) in S-List, (B,t,h) in 7^-List. 

The two games G 2 . 2 and G 2 .i are perfectly indistinguishable unless r is already 
in A-List. Since g is randomly chosen, we can consider r as a uniform variable. 
So, the probability that r has already been queried to A is less than (qf + q d )/ 2 fc : 

| Pr[AskH 2 2 ] - Pr[AskH 2 .i] | < q d (q f + q d )/2 k . (15) 

Game G 2 . 3 : Still about the rule Decrypt-noT, instead of defining m from a 

random /, we first choose m and then we define / from to: 

►Rule Decrypt-noT^ 2 - 3 ) 

Choose to f— {0, 1 } e . 

Choose h -e- {0, l} e and set s = u ® h. 

Choose g -e- {0, 1}* and set r = t © g. 

Compute / = to © s. 

Add (r,/) in JP-List, {s,g) in S-List, (B,t,h) in 7^-List. 

The two games G 2 .3 and G 2 . 2 are perfectly indistinguishable: 

Pr[AskH 2 . 3 ] =Pr[AskH 2 . 2 ], (16) 

Game G 2 . 4 : We now modify the rule Decrypt-TnoS by not calling anymore 

the oracles T and Q. About this rule, the adversary asks for the decryption of 
c = ip p k{B,t,u) such that h = is known, but s = u®h has never been 

queried to Q. 

►Rule Decrypt-TnoS^ 2 ’ 4 ) 

Choose g A {0, 1}* and set r = t © g. 

Choose / -e- {0, 1 } e and set to = s © /. 

Add (r,/) in .A-List, {s,g) in S-List. 

The two games G 2 .4 and G 2 .3 are perfectly indistinguishable unless r is already 
in A-List. Since g is randomly chosen (s is not in f/-List), we can consider r 
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as a uniform variable. So, the probability that r is queried to T is less than 

( Qf + Qd)/2 k -- 

| Pr[AskH 2 . 4 J — Pr[AskH 2 . 3 ] | < q d (q f + q d )/2 k . (17) 

Game G 2 5 : As above, in the rule Decrypt-T noS, instead of defining to from 
a random /, we first choose m and then we define / from to: 

►Rule Decrypt-TnoS^ 2 ' 5 ) 

Choose to {0, l} 1 . 

Choose g {0, l} fc and set r = t ® g. 

Compute / = to ® s. 

Add (r, /) in .F-List, (s,g) in 5-List. 

The two games G 2 . 5 and G 2 . 4 are perfectly indistinguishable: 

Pr[AskH 2 . 5 ] =Pr[AskH 2 . 4 ]. (18) 

A. 3 Proof of Lemma 5 

Game G3.1: In this game, we don’t store anymore (s, g) in 5-List, nor (r, /) 
in .F-List and we modify the simulation of 5, so that JC-List is built as soon as 
possible: 

►Rule Decrypt-TnoS^ 3 ' 1 ) 

| Choose to {0, 1 } e . 

► Rule Decrypt-noT^ 3 - 1 ) 

Choose h {0, l} e . 

Choose to {0, l} e . 

Add ( B,t,h ) in H- List. 

► Rule EvalGAdd^ 31 ) 

I Search ( B,t,h ) e 7^-List and (to, c) € R-List such that c = 
ip p k(B, t,h® s). If the record is found, we compute r = t ® g, 

| / = to ® s and add (r, /) in .F-List. 

The two games G3.1 and G3 are perfectly indistinguishable unless r is asked 
to T before s is asked to Q, we denote this event by AskRbS, In fact, if r is asked 
after s, at the moment that s is asked, by the above simulation of 5, we will 
find out (B,t, h ) and therefore (r, /) is computed and added in List as in the 
game G 3 . 

| Pr[AskH 31 ] - Pr[AskH 3 ] | < Pr[AskRbS 3 .i]. (19) 

Until s is asked, g is a uniform variable, so is r. Therefore, the probability 
that r has been asked to T is qf/2 k : 

Pr[AskRbS 3 .i] < q d • qf/ 2 fc . 


(20) 
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Game G3.2: We continue to simulate the oracle D s y. We use the following 

rule: 

► Rule Decrypt-noT^ 3 - 2 ) 

| Choose m £ {0, 1 y. 

In this game, we don’t store anymore (B,t, h) in 7 -^- List. In the G3.1, for the 
question t, we answer randomly h, so the attacker in the two games G3.2 and 
G3.1 can not distinguish the answers of a question to 71 . Nevertheless, 71 - List 
has been changed and therefore, the answer for a question to T can be changed. 
We easily see that the two games G3.2 and G3.1 are perfectly indistinguishable 
unless s is asked to Q before B\\t is asked to 71 , we denote this event by AskSbT, 
In fact, if s is asked to Q after B\\t is asked to 71 , at the moment s is asked, 
by the above simulation of Q, we will find out ( B,t,h ) and therefore (r, /) is 
computed and added in T-'-List as in the game G3.i- 

| Pr[AskH 3 . 2 ] - Pr[AskH 3 .i] | < Pr[AskSbT 3 . 2 ]. ( 21 ) 

Until B\\t is asked to 71 , h is a uniform variable, so is s = u ® h. Therefore, the 
probability that s has been asked to Q is q g / 2 ^: 

Pr[AskSbT 3 . 2 ] < q d ■ q g / 
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Abstract. In this paper, we study some RSA-based semantically secure 
encryption schemes (IND-CPA) in the standard model. We first derive 
the exactly tight one-wayness of Rabin-Paillier encryption scheme which 
assumes that factoring Blum integers is hard. We next propose the first 
IND-CPA scheme whose one-wayness is equivalent to factoring general 
n = pq (not factoring Blum integers). Our reductions of one-wayness are 
very tight because they require only one decryption-oracle query. 

Keywords: Factoring, semantic security, tight reduction, RSA-Paillier, 
Rabin-Paillier. 

1 Introduction 

1.1 Background 

An encryption scheme should have strong one-wayness as well as high semantic 
security. Therefore, it is desirable to construct a semantically secure encryption 
scheme whose one-wayness is equivalent to factoring n = pq in the standard 
model. (There are several provably secure constructions in the random oracle 
model. For example, see [Sho01,FOPS01,Bon01].) 

RSA-Paillier encryption scheme is semantically secure against chosen plain- 
text attacks (IND-CPA) in the standard model under the RSA-Paillier assump- 
tion [CGHN01]. The assumption claims that 

SMALL R sap = { r e mod n 2 |r € Z n } and 
LARGErsap = {r e mod n 2 |r 6 Z n i } 

are indistinguishable, where (n, e) is the public-key of RSA. Further, it is one- 
way if breaking RSA is hard. The latter problem was first raised by [ST02] and 
finally proved by [CNS02] using LLL algorithm of lattice theory. 

On the other hand, n(= pq) is called a Blum integer if p = q = 3 mod 4. 
Galindo et al. recently considered Rabin-Paillier encryption scheme and showed 
that it is one-way if factoring Blum integers is hard [GMMV03]. 

C.S. Laih (Ed.): ASIACRYPT 2003, LNCS 2894, pp. 19-36, 2003. 

© International Association for Cryptologic Research 2003 
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However, there is a large gap between the one-wayness which they proved 
and the difficulty of factoring. That is, suppose that the one-wayness is broken 
with probability e. Then what Galindo et al. proved is that Blum integers can 
be factored with probability e 2 . Further the factoring problem is restricted to 
Blum integers, but not general p, q. 

(The one-wayness of Okamoto-Uchiyama scheme [OU98] is equivalent to fac- 
toring n = p 2 q, but not n = pq.) 

1.2 Our Contribution 

In this paper, we study the tight one-wayness of some RSA-based semantically 
secure encryption schemes (IND-CPA) in the standard model, where the one- 
wayness must be equivalent to factoring n = pq. 

We first show that Rabin-Paillier encryption scheme has no gap between the 
real one-wayness and the difficulty of factoring Blum integers. (In other words, 
we give a factoring algorithm with success probability e.) Our proof technique 
is quite different from previous proofs. In particular: 

— Our proof technique requires only one decryption-oracle query while the pre- 
vious proofs for RSA/Rabin-Paillier encryption schemes require two oracle 
queries [CNS02,GMMV03]. 

— No LLL algorithm is required, which was essentially used in the previous 
proofs for RSA/Rabin-Paillier schemes [CNS02,GMMV03]. 

We next propose the first IND-CPA scheme such that the one-wayness is 
equivalent to factoring general n = pq (not factoring Blum integers). The one- 
wayness is proved by applying our proof technique as mentioned above. There- 
fore, our security reduction of one-wayness is very tight. That is, there is almost 
no gap between the one-wayness and the hardness of the general factoring prob- 
lem. 

The proposed scheme is obtained from an encryption scheme presented by 
Kurosawa et al. [KIT88,KOMM01]. The semantic security holds under a nat- 
ural extension of RSA-Paillier assumption. That is, it is semantically secure 
(IND-CPA) if two distributions SMALLrsak and LARGErsak are indistin- 
guishable, where we define SMALLrsak and LARGErsak as appropriate 
subsets of SMALLrsap and LARGErsap, respectively. We also show a close 
relationship between our assumption and RSA-Paillier assumption. 

This paper is organized as follows: In Section 2, we describe notions required 
for the security description in this paper. In Section 3, the exact security reduc- 
tion algorithm for Rabin-Paillier encryption scheme is presented. In Section 4, 
the proposed scheme is presented. In Section 5, we prove that the one-wayness 
of the proposed scheme is as hard as general factoring problem. In Section 6, we 
discuss the semantic security of the proposed scheme. Sec. 7 includes some final 
comments. 


Related works: Cramer and Shoup showed an semantically secure encryption 
scheme against chosen ciphertext attacks (IND-CCA) under the decision Diffie- 
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Hellamn assumption [CS98] . They recently showed a general framework to con- 
struct IND-CCA schemes [CS02]. 

It will be a further work to develop an IND-CCA scheme whose one-wayness 
is equivalent to the factoring problem in the standard model. We hope that our 
results provide us a good starting point to this challenging problem. 

2 Security of Encryption Schemes 

PPT will denote a “probabilistic polynomial time” . 

2.1 Encryption Scheme 

A public-key encryption scheme V£ = (1C, £, T>) consists of three algorithms. The 
key generation algorithm K outputs ( pk , sk) on input 1 *, where pk is a public 
key, sk is the secret key and l is a security parameter. We write (pk, sk) -e- 1C. 
The encryption algorithm £ outputs a ciphertext c on input the public key pk 
and a plaintext (message) to; we write c -e- £ pk (ni). The decryption algorithm 
V outputs to or reject on input the secret key sk and a ciphertext c; we write 
x <- V sk (c), where x = m or reject. We require that T> sk (£ pk (m)) = to for each 
plaintext to. K and £ are PPT algorithms, and T> is a polynomial time algorithm. 


2.2 One-Wayness 

The one-wayness problem is as follows: given a public key pk and a ciphertext 
c, find the plaintext to such that c -e- £ pk (m). Formally, for an adversary A, 
consider an experiment as follows. 

(pk, sk) 1C, c £ pk (m),rh A(pk,c). 
where to is randomly chosen from the domain of pk. Let 
Adv^(A) = Pr(m = to). 


For any t > 0, define 

Adv^z (t) = max Adv^ £ (A% 
where the maximum is over all A who run in time t. 

Definition 1. We say that V£ is (t,e)-one-way if Advfj^(t) < e. We also say 
that V£ is one-way if Adv^f(A) is negligible for any PPT adversary A. 

2.3 Semantic Security 

We say that a public-key encryption scheme V£ = (K,£,V) is semantically 
secure against chosen plaintext attacks (SS-CPA) if it is hard to find any (partial) 
information on to from c. This notion is equivalent to indistinguishability (IND- 
CPA), which is described as follows [BDPR98,Gol01]. 



22 


Kaoru Kurosawa and Tsuyoshi Takagi 


We consider an adversary B = (Bi . B 2 ) as follows. In the “find” stage, B\ 
takes a public key pk and outputs (mo, mi, state), where mo and mi are two 
equal length plaintexts and state is some state information. In the “guess” stage, 
B ‘2 gets a challenge ciphertext c -e- £ pk (mb) from an oracle, where 6 is a randomly 
chosen bit. B 2 finally outputs a bit b. We say that an encryption scheme V£ is 
secure in the sense of IND-CPA if | Pr(6 = b) - 1/2| is negligible. 

Formally, for each security parameter l, let 

(pk,sk)£-lC, (m 0 , mi, state) Bi(pk),c^ £ pk (mb), b -e- B 2 (c, state). 

Definition 2. We say that V£ is secure in the sense of indistinguishability 
against chosen-plaintext attack (IND-CPA) if 

hdv^(B) = \Pr(b = b)--l/2\ 
is negligible for any PPT adversary B. 

If an adversary B = (Bi,B 2 ) is allowed to access the decryption oracle 
D s k(-), we denote it by B v = (Bf , Bf). If hdv^(B T> ) is negligible for any 
PPT adversary B®, we say that V£ is secure in the sense of indistinguishability 
against adaptive chosen-ciphertext attack (IND-CCA). 


2.4 Factoring Assumptions 

The general factoring problem is to factor n = pq, where p and q are two primes 
such that \p\ = \q\. Formally, for an factoring algorithm B, consider the following 
experiment. Generate two primes p and q such that \p\ = \q\ randomly. Give 
n = pq to B. We say that B succeeds if B can output p or q. 

Definition 3. We say that the general factoring problem is (t,e)-hard ifPr(B 
succeeds) < e for any B who runs in time t. We also say that it is hard if 
Pr (B succeeds) is negligible for any PPT algorithm B. 

The general factoring assumption claims that the general factoring problem is 
hard. 

We say that n(= pq) is a Blum integer if p and q are prime numbers such that 
p = q = 3 mod 4 and |p| = \q\. The B burn- f ac t or ing problem is defined similarly. 
.BhiTO-factoring assumption claims that the B/wm- factoring problem is hard. 

3 Exact One-Wayness of Rabin-Paillier Scheme 

Galindo et al. recently constructed Rabin-Paillier encryption scheme [GMMV03] 
and showed that its one-wayness is as hard as factoring Blum integers, where n = 
pq is called a Blum integer if p = q = 3 mod 4. However, there is a polynomially 
bounded gap between the difficulty of factoring and the claimed one-wayness. 
This is because they used the same proof technique as that of [CNS02]. 
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In this section, we show that there exists no gap between the difficulty of 
factoring Blum integers and the real one-wayness of Rabin-Paillier encryption 
scheme. In other words, we present the exactly tight one-wayness of Rabin- 
Paillier encryption scheme. 

Our proof is very simple and totally elemental. In particular, no LLL algo- 
rithm is required which was essentially used in the previous proofs for 
RS A/Rabin-Paillier [CNS02,GMMV03] . 

3.1 Rabin-Paillier Encryption Scheme 

Rabin-Paillier encryption scheme is described as follows. Let 
Q n = {r 2 mod n 2 | r G Z*}. 

We say that f € Z* is conjugate if (r/n) = — 1, where (m/ri) denotes Jacobi’s 
symbol. 

(Secret key) Two prime numbers p and q such that \p\ = \q\ and p = q = 
3 mod 4. 

(Public key) n(= pq),e, where e is a prime such that |n|/2 < e < |n|. 
(Plaintext) m G Z n . 

(Ciphertext) 

c = r 2e + mn mod n 2 , (1) 

where r G Q n is randomly chosen. 

(Decryption) Since e is a prime such that \n\/2 < e < |n|, it satisfies that 

gcd(e,p — 1) = gcd(e, <? — 1) = 1. (2) 

Therefore, there exists d such that ed= 1 mod lcm(p — 1, q — 1). 

Now let E = c d mod n. Then it is easy to see that 

E = r 2 mod n. 

We can find r such that r G Q n uniquely because p = q = 3 mod 4. Finally, 
by substituting r into eq.(l), we can obtain to. 

In [GMMV03], the authors showed that Rabin-Paillier encryption scheme is 
secure in the sense of IND-CPA if (n, e, £(n,e;0)) and (n,e,Q n 2 ) are indistin- 
guishable, where 

£ (n, e; 0) = {r 2e mod n 2 \ r G Q n }- 

Remarks: 

1. In [GMMV03], the condition on e is restricted to gcd(e, A(n)) = 1, where A is 
Carmichael’s function. However, for this parameter choice, we cannot prove 
that the one-wayness is as hard as the factoring problem, because we cannot 
generally choose such e for a given n. In Appendix B, we also point out a 
flaw on their claim for the semantic security of Rabin-Paillier cryptosystem. 

2. RSA-Paillier encryption scheme is obtained by letting 

c= r e ( 1 + mn) mod n 2 
for to G Z n and r G Z n [CGHN01]. 
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3.2 Exactly Tight One-Wayness 

Suppose that there exists a PPT algorithm that breaks the one-wayness with 
probability e. Then Galindo et al. proved that there exists a PPT algorithm 
that can factor Blum integers n with probability e 1 2 (see the proof of [GMMV03, 
Proposition 6]). 

In this subsection, we show that there exists a PPT algorithm that can factor 
Blum integers n with probability e. Since the converse is clear, our reduction is 
exactly tight. 


Table 1 . Factoring probability using OW-oracle with probability e 


Scheme | ing Probability 

Galindo et al. [GMMV03] I g 2 

Our Proposed Proof | e 


Lemma 1. Let n be a Blum integer. For any conjugate r, there exists a unique 
r € Q n such that 

r 2 = r 2 mod n. (3) 

Further, gcd(r — r,n) = p or q. 

Proof. Note that (—1/p) = —1 and (— 1 /q) = —1 for a Blum integer n = pq. 
A conjugate r G Z* satisfies (f/n) = — 1, namely (I) : ( f/p ) = 1 A ( r/q ) = — 1 
or (II) : (f/p) = — 1 A (r/q) = 1. In the case of (I), define r = f modp and 
r = — f mod q, then the statement of the lemma is obtained. Similarly in the 
case of (II) we assign r = —f mod p and r = f mod q. 

Theorem 1. Rabin-Paillier encryption scheme is (t, ej-one-way if Blum factor- 
ing problem is (t', ej-hard, where t' = t + 0( (log n) 3 ). 

Proof. Suppose that there exists an oracle O which breaks the one-wayness of 
Rabin-Paillier encryption scheme with probability e in time t. We will show a 
factoring algorithm A. 

We show how to find r and f satisfying eq.(3). On input n, A first chooses a 
prime e such that \n\/2 < e < \n\ randomly. A next chooses a conjugate r € Z* 
and a (fake) plaintext to € Z n randomly, and computes a (fake) ciphertext 

c = f 2e + mn mod n 2 . 

It is clear that c is uniquely written as c = So + Bin mod n 2 for some 
-Bo e Q n , Bi e Z n . Note that 

1. Bi is uniformly distributed over Z n because to is randomly chosen from Z n , 
and 

2. B 0 is uniformly distributed over {r 2e mod n \ r G Q n } from Lemma 1. 
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Therefore, c is distributed in the same way as valid ciphertexts. 

Now A queries c to the oracle O. O then answers a (valid) plaintext to such 
that 

c = r 2e + mn mod n 2 

with probability e in time t, where r £ Q n . Then we have 
c = r 2e = f 2e mod n. 

Hence we see that r 2 = f 2 mod n. Therefore, r 2 is written as 

r 2 =r 2 + yn (4) 

for some y £ Z n (with no modulus). By letting x = r 2 mod n 2 , we obtain that 
w = c — mn = r 2e = (x + yn) e = x e + eynx e ~ x mod n 2 . (5) 

It is easy to see that 

eyx e_1 = — — — mod n. 

Therefore y is obtained as 

y = (ex e_1 ) _1 — — — mod n. 
n 

Substitute y into eq.(4). Then we can compute a square root r > 0 because eq.(4) 
has no modulus. Finally we can factor n by using (r, f) from Lemma 1. □ 

Our algorithm A for Rabin-Paillier scheme is summarized as follows. 


Exact_OW_Rabin_Paillier 

Input: (n, e), public key of Rabin-Paillier scheme 
Output: p, q, factoring of n 
1 choose it random r e Z* such that fijv) — —1 

2. compute x = r 2 mod n 2 . 

3. choose a random (fake) plaintext m 6 Z n . 

4. compute a ciphertext c = x e + mn mod n 2 . 

5. obtain a valid plaintext to = O(c) 

6. compute w = c — mn = r 2e mod n 2 . 

7. compute u = (w — x e mod n 2 )/n. 

8. compute y = u(ea;^ e_1 ^) _1 mod n. 

9. compute v = r 2 + ny. 

10. find r > 0 such that r 2 = v in Z. 

11. return gcd(r — r,n). 


4 New Encryption Scheme 

In this section, we propose an encryption scheme such that its one-wayness 
is as hard as the general factoring problem of n = pq (not factoring Blum 
integers). The proposed scheme is obtained from an encryption scheme proposed 
by Kurosawa et al. [KIT88,KOMM01]. 
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4.1 Kurosawa et al.’s Encryption Scheme 

Kurosawa et al.’s showed an encryption scheme as follows [KIT88]. 

(Secret key) Two prime numbers p and q such that \p\ = |e/|, 

(Public key) n(= pq) and a such that 

(a/p) = (a/q) = -1, (6) 

where (a/p) denotes Legendre’s symbol. 

(Plaintext) m 6 Z*. 

(Ciphertext) c = (E, s, t) such that 

E = to + — mod n (7) 


{ 0 if (m/n) = 1; _ ( 0 if (a/m mod n) > m; 

1 if (m/n) = 1 . (1 if (a/m mod n) < m. 

(Decryption) From eq.(7), it holds that 

m 2 — Em + a = 0 mod n. (8) 

The above equation has four roots. However, we can decrypt m uniquely 
from (s,t) due to eq.(6) [KIT88,KOMM01]. Also see [KT03, Appendix E], 

In [KIT88,KOMM01], it is proved that this encryption scheme is one-way 
under the general factoring assumption. 


4.2 Proposed Encryption Scheme 

(Secret key) Two prime numbers p and q such that \p\ = |</|. 

(Public key) n(= pq),e,a, where e is a prime such that |n|/2 < e < \n\ and 


a £ Z* satisfies 



(a/p) = (a/q) = - 1 . 

(9) 

(Plaintext) rr 
(Ciphertext) 

iez n . 



c=(r+ — ^ +mn mod n 2 , 

(10) 

where r € 

Z* is a random element such that (r/n) 

= 1 and (a/r mod 


n) > r. (We can compute 1/r mod N 2 faster than the direct method [KT03, 
Sec.4.3].) 

(Decryption) Let E = c d mod n, where ed = 1 mod lcm(p — 1 ,q — 1). Then it 
is easy to see that 

E = r + — mod n. 

Note that (£,0,0) is the ciphertext of r by Kurosawa et al.’s encryption 
scheme. Therefore we can find r by decrypting (E, 0, 0) with the decryption 
algorithm. Finally, by substituting r into eq.(10), we can obtain m. 
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5 One-Wayness of the Proposed Scheme 

In this section, we show the one-wayness of the proposed scheme by applying our 
proof technique developed in Sec. 3. Our security reduction is very tight. That is, 
there is almost no gap between the one-wayness and the hardness of the general 
factoring problem. Indeed, our proof requires only one decryption-oracle query 
while the previous proof for RSA/Rabin-Paillier encryption scheme requires two 
oracle queries [CNS02,GMMV03]. 

5.1 Proof of One-Wayness 

We say that 

1. r £ Z* is principal if ( r/n ) = 1 and (a/r mod n) > r. 

2. f £ Z* is conjugate if (f/n) = — 1. 

Note that in terms of the parameters of Kurosawa et al’s encryption scheme, 
r £ Z* is principal if (s, t) = (0, 0) and f £ Z* is conjugate if s = 1. 

Lemma 2. For any conjugate f, there exists a unique principal r such that 

E = f+ C ^=r+ — mod n. (11) 

Further, gcd(r — f , n) = p or q. 

Proof. There are four different solutions of Kurosawa et al’s encryption E cor- 
responding to ( s,t ) = (0,0), (0, 1), (1, 0), (1, 1) as shown in [KIT88,KOMM01]. 
(Also see [KT03, Appendix E].) A conjugate f satisfies (f/p) = 1 A (f/q) = —1 
or (f/p) = — 1 A ( f/q ) = 1 for s = 1. Define rq = f mod p A rq = a/f mod q and 
7‘2 = a/f mod p A rq = f mod q. Then either rq or rq is the required principle r. 
Hence, the former part of this Lemma holds. Further, r ^ f mod pAr = f mod q 
or r = f mod pAr^f mod q holds due to (a/p) = (a/q) = —1. Therefore, we 
can see that gcd(r — f , n) = p or q. □ 

From eq.(ll), it holds that 

r + a/r = (f + a/r) 4- yn mod n 2 (12) 

for some unique y £ Z*. 

Lemma 3. Suppose that we have (f,y) satisfying eq.(12) for some principal r, 
where f is conjugate. Then we can factor n. 

Proof. We show that r can be computed from (y,f). Let 
v = (r + a/f) + yn mod n 2 . 

Then we have 

r 2 — vr + a = 0 mod n 2 

from eq.(12). We can solve this quadratic equation by using the Coppersmith’s 
algorithm [Cop96] because of 0 < r < n. Then we can factor n from Lemma 2. 
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Lemma 4. Suppose that there exists an oracle O that breaks the one-wayness 
of the proposed scheme with probability e and in time t. Then there exists 
an algorithm A which factors n from (n, e, a) with probability e in time t + 
poly (log n), where O is invoked once. 

Proof. We show how to find f and y satisfying eq.(12). On input (n, e, a), A first 
chooses a conjugate r £ Z* randomly and computes 

x = f + mod n 2 . (13) 

It next chooses a (fake) plaintext to £ Z n randomly and computes 

c= x e + mn mod n 2 . 

It is clear that c is uniquely written as c = Bo+Bin mod n 2 for some Bq . B t £ 
Z n . Note that (1) Bi is uniformly distributed over Z n because to is randomly 
chosen from Z n . (2) B 0 is uniformly distributed over {(r + a/r) e mod n | r £ 
Z * is principal} from Lemma 2. Therefore, c is distributed in the same way as 
valid ciphertexts. 

Now A queries c to the oracle O. O then answers a (valid) plaintext to such 
that 

c = (r + — J + mn mod n 2 

with probability e and in time f, where r £ Z* is principal. Then we have 
c = ^ = x e mod n. 

Hence we see that r + “ = x mod n. Therefore, there exists y £ Z n such that 
r + — = x + yn mod n 2 . 


We then obtain that 

w = c — mn = (r + a/r) e = {x + yn) e = x e + eynx e ~ l mod n 2 . 
It is easy to see that 

eyx e ~ x = — — — mod n. 

Therefore y is obtained as 


— (ex® 


mod n. 


Finally we can factor n by using (r, y) from Lemma 3. 
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Our algorithm A for the proposed scheme is summarized as follows: 

OW_Reciprocal_Paillier 

Input: (n,e,a), public-key of the proposed scheme 
Output: p , q, factoring of n 
1 . " 

2. compute x = f + a/r mod n 2 . 

3. choose a random (fake) plaintext fh £ Z*. 

4. compute a ciphertext c = x e + mn mod n 2 . 

5. obtain a valid plaintext m = 0(c) 

6. compute w = c — mn = (r + a/r) e mod n 2 . 

7. compute u= (w — x e )/n. 

8. compute y = u(ea/ e_1 )) _1 mod n. 

9. compute v = (r + a/r) + ny mod n. 

10. solve r 2 — vr + a = 0 mod n 2 using Coppersmith’s algorithm [Cop96]. 

11. return gcd{f — r,n). 


Theorem 2. The proposed encryption scheme is (t, e) one-way if the general 
factoring problem is (t 1 ,e/2)-hard, where t! = t + poly(logn). 

Proof. Suppose that there exists a PPT algorithm that breaks the one-wayness 
of the proposed scheme with probability e in time t. Then we show a PPT 
algorithm which can factor n. 

For a given n, we choose a prime e such that |n|/2 < e < |n| randomly. 
We also choose a £ Z* such that (a/ri) = 1 randomly. It is easy to see that a 
satisfies eq.(9) with probability 1/2. Next apply Lemma 4 to (n,e,a). Then we 
can factor n with probability e/2 in time t' = t + poly (log n). □ 

The proposed scheme is a combination of the scheme of Kurosawa et al. and 
the RSA-Paillier scheme. Another construction is to encrypt a message m G 
Z/nZ as follows: 

c = (r e + + mn mod n 2 , (14) 

where r £ Z* is a random element such that (r e mod n/n) = 1 and (a/r e mod 
n) > r. After computing r e mod n 2 the reciprocal encryption is applied. How- 
ever, the security analysis of this construction is more difficult — we cannot 
apply the above proof technique to this scheme, because r e mod n 2 is larger 
than n. 


5.2 Hensel Lifting and Large Message Space 

Catalano et al. proved that Hensel-RSA problem is as hard as breaking RSA for 
any lifting index l [CNS02]. 

In this section, we define Hensel-Reciprocal problem and show that it is as 
hard as general factorization for any lifting index l. This result implies that we 
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can enlarge the message space of the proposed encryption scheme for to £ Z n 2 
in such a way that 

c = r e + mn mod n l . 

Suppose that we are given a public key (n, e, a) of the proposed encryption 
scheme and 

y = (r + — ) mod n, 

where r £ Z* is principal. The Hensel-Reciprocal problem is to compute 
Y = (r+ -) e modn' 

from (n, e, a, y) and l, where r £ Z* is principal and l is a positive integer. Then 
we can prove the following theorem (See [KT03]). 

Theorem 3. The Hensel-Reciprocal problem is as hard as general factorization 
for any lifting index l > 2. 

Proof. It is easy to see that we can solve the Hensel-Reciprocal problem if we 
can factor n. We will prove the converse. 

Suppose that there exists a PPT algorithm which can solve the Hensel- 
Reciprocal problem with probability e for some l > 2. That is, the PPT al- 
gorithm can compute Y = (r+ f) e mod n l from (n,e,a,y) and l > 2, where 
r £ Z* is principal. Then we can compute Y' — (r + “) mod n 2 . Now similarly 
to the proof of Lemma 4 and Theorem 2, we can factor n with probability e/2 
in polynomial time. □ 

6 Semantic Security of the Proposed Scheme 

In this section, we discuss the semantic security of the proposed scheme. Let 
(n, e, a) be a public key of the proposed encryption scheme. 

6.1 Semantic Security 

Let 

SMALL RSA p(n, e) = {(n, e, x) \ x = r e mod n 2 , r e Z n } 
LARGE R sAp(n, e) = {(n, e, x) \ x = r e mod n 2 ,r £ Z n 2 } 

Note that 

| SMALL RSA p(n, e)\ = n, and \LARGE RSA p(n, e)| = n 2 . 

It is known that RSA-Paillier encryption scheme is IND-CPA if SMALL RR ap 
(n, e) and LARGE R sAp(n,e) are indistinguishable [CGHN01]. We call it RSA- 
Paillier assumption. 
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We now define SMALL R sAK(n,e,a) and LARGE R sAK{n,e,a) as follows. 

SMALL R sak{ti, e, a) = {(n, e,a,x) j x = (r + — ^ mod n 2 ,r £ Z* 
is principal} 

LARGE RSA k ip,, e, a) = {(n, e,a,x) \x = (r + ^ mod n 2 ,r £ Z* 2 }. 
Note that 

\SMALL RSA K(n, e,a)\ = 4>{n)/ 4, and \LARGE RSA K(n, e,a)\ = 4>{n)nJ 4, 
because r + “ mod n 2 is a 4 : 1 mapping. 

Theorem 4. The proposed encryption scheme is secure in the sense of IND- 
CPA if two distributions SMALL R sAK(n,e,a) and LARGE R sAK(n,e,a) are 
indistinguishable. 

We call the above indistinguishability Reciprocal-Paillier assumption. A proof 
will be given in Appendix A. 


6.2 Relationship with RSA-Paillier Assumption 

We investigate the relationship between RSA-Paillier assumption and Recipro- 
cal-Paillier assumption. We first generalize SMALL R sap and LARGE RR ap so 
that they include a. That is, let 

SMALL' RSAP (n, e, a) = {( n , e,a,x) \ x = r e mod n 2 ,r £ Z*} 
LARGE' RSAP (n, e, a) = {(n,e,a,x) \ x = r e mod n 2 ,r £ Z* 2 } 

We then define modified RSA-Paillier assumption as follows: SMALL' RSAP (n, e, 
a) and LARGE' RSAP (n,e,a) are indistinguishable. We next define reciprocal 
assumption as follows: SMALL R sAK{n, e, a) and SMALL' RSAP (n, e, a) are in- 
distinguishable. 

Then we have the following corollary of Theorem 4. 

Corollary 1. The proposed encryption scheme is secure in the sense of IND- 
CPA if both modified RSA-Paillier assumption and the reciprocal assumption 
hold. 

Proof. We prove that LARGE R sAK(n,e,a ) and LARGE RSAP (n,e,a ) are in- 
distinguishable under the reciprocal assumption. Let O be an oracle that distin- 
guishes two distributions LARGE R sAK(n,e,a ) and LARGE R sAp(n,e,a). We 
construct a distinguisher D which can distinguish between SMALL R sAK(n,e, 
a) and SMALL' RSAP (n,e,a). For ( n,e,a,c ), D chooses a random s £ Z n , and 
computes (! = c+ ns mod n 2 . Then it asks (n, e, a , d) to the oracle O. Because s 
is randomly chosen in Z n , we can show that (n, e, a, d) is uniformly distributed 
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in either LARGE R sAK{n , e, a) or LARGE' RSAP (n, e, a). Thus the oracle O can 
correctly distinguish between SMALL R sAK(n, e, a) and SMALL' RSAP (n, e, a). 
Therefore 

SMALLrsak ~ SMALL' rsap « LARGE' rsap « LARGE R sak, 

where w means indistinguishable. This implies that Reciprocal-Paillier assump- 
tion holds. □ 


7 On Chosen Ciphertext Security 

For chosen ciphertext security, we can obtain a variant of our encryption scheme 
as follows by applying the technique of [Poi99]. 

c= (( r +~) +mn mod n 2 )\\H(r,m) 

where H is a random hash function and 1 1 denotes concatenation. In the random 
oracle model, (1) this scheme is one-way against chosen ciphertext attacks under 
the general factoring assumption. (2) It is also IND-CCA under the assumption 
given in Sec.6. 

In the standard model, it still remains one-way and IND-CPA against chosen 
plaintext attacks. In general, we can prove the following theorem. 

Theorem 5. Let VS be an encryption scheme with ciphertexts c = E p k(m,r). 
Suppose that (1) the set of r belongs to BPP and (2) there exists a decryption 
algorithrnjuhich outputs not only m but also r. For VS, consider an encryption 
scheme VS such that 

c= E pk (m,r)\\H(m,r). 

If PE is one-way against chosen plaintext attacks (IND-CPA, resp.), then VS 
is one-way against chosen ciphertext attacks (IND-CCA, resp.) in the random 
oracle model. VS still remains one-way against chosen plaintext attacks (IND- 
CPA, resp.) in the standard model. 

The details will be given in the final paper. 
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A Semantic Security of the Proposed Scheme 

A.l Basic Result 

Let ZERO(n, e, a ) be the set of ciphertexts for to = 0 and ALL{n , e, a) be the 
set of ciphertexts for all m £ Z n . That is, 

ZERO(n , e,a) = {(r+~y mod n 2 \reZ* is principal} 

ALL(n, e, a) = { ^ + mn mod n 2 | to € Z n and r € Z* is principal}. 
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Define 


Reciprocalo(n, e, a) = {(n,e,a,x) \ x € ZERO(n,e,a)} 
Reciprocal ALL(n,e, a) = {(n,e,a,x) \ x £ ALL(n,e,a)} 

Note that we have Reciprocalo(n,e,a) = SMALL R sAK(n,e,a) from their 
definition. 

Theorem 6. The proposed encryption scheme is secure in the sense of IND- 
CPA if and only if Redprocalo(n, e, a) and Reciprocal ALL(n,e, a) are indistin- 
guishable. 

Proof. Suppose that there exists an adversary B = (Bi . B 2 ) which breaks our 
encryption scheme in the sense of IND-CPA, where Bi works in the find stage 
and B '2 works in the guess stage. 

We will show a distinguisher D which can distinguish between two distri- 
butions Reciprocalo{n, e, a ) and Reciprocal ALL(n,e, a). Let ( n,e,a,x ) be the 
input to D, where x £ ZERO(n, e, a) or x £ ALL(n , e, a). 

1. D gives pk = ( n , e, a) to B±. 

2. Then B\ outputs (mo, mi, state). 

3. D chooses a bit b randomly and computes 

Cb = x + mbn mod n 2 . 


D gives (cb, state) to B 2 . 

4. B 2 outputs a bit b. 

5. D outputs ”0” if b = b. Otherwise, D outputs ”1”. 

Let Po denote the probability that D = 0 for x £ ZERO(n,e,a) and Pall 
denote the probability that D = 0 for x £ ALL(n, e, a). 

Now if x £ ALL(n,e,a), then C5 is uniformly distributed over ALL(n,e,a) 
for both 6 = 0 and 1. Therefore, it is clear that 

Pall = 1 / 2 . 

On the other hand, if x £ ZERO(n,e,a), then Cb is a valid ciphertext of mb- 
Therefore, from our assumption and from Def.2, we obtain that 

\Po ~ 1/2| = | Pr(6 = b) — 1/2| 


is non-negligible. Hence 

\Po ~ Pall\ 

is non-negligible because Pall = 1/2. This means that D can distinguish be- 
tween Reciprocalo(n, e, a) and ReciprocalALL(n,e,a). 

Next suppose that there exists a distinguisher D which is able to distin- 
guish between Reciprocalo(n, e, a) and Reciprocal all^, e, a). We will show an 
adversary B = (Bi,B 2 ) which breaks our encryption scheme in the sense of 
IND-CPA, where Bi works in the find stage and B 2 works in the guess stage. 
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On input pk = (n, e, a), Bi outputs mo = 0 and mi £ Z n . where mi is randomly 
chosen from Z n . For a given ciphertext Cb, B 2 gives (n,e,a,Cb) to D, where Cb 
is a ciphertext of mb- 

Note that Cq is randomly chosen from ZERO(n, e, a) and Ci is randomly cho- 
sen from ALL(n, e, a). Therefore, D can distinguish them from our assumption. 
Hence B 2 can distinguish them. □ 

A. 2 Extended Result 

Lemma 5. Reciprocal ALL(n,e, a) = LAR,GE R sAK(n, e. a). 

Proof. First suppose that (n,e,a,c) £ LARGE RS AK(n, e, a). Then 

c= ( r+ ^ e modn 2 

for some r £ Z* 2 . Decrypt c by our decryption algorithm. Then we can find 
m £ Z n and a principal r' € Z* such that 

c= (r' + +mn mod n 2 . 

Therefore ( n,e,a,c ) £ Reciprocal a rrAn, e, a). This means that 
LARGE R sAK(n,e,a) C Reciprocal ALL(n,e, a). 

Next suppose that ( n,e,a,c ) G ReciprocalALL(n,e,a). Then 
c= (r+“) + run mod n 2 

for some m G Z n and a principal r G Z*. We will show that there exists u G Z* 2 
such that 

c=(u+— ) mod n 2 (15) 

and u mod n is principal. The above equation holds if and only if 

u 2 -A + a = 0modn 2 , (16) 

where ed = 1 mod <p(n)n. For y p such that 

(r 2 - c d r + a) + py p (2r - c d ) = 0 mod p 2 , 
let u p = r + py p mod p 2 . Then it is easy to see that 
u 2 — c d u p + a = 0 mod p 2 . 


Similarly for y q such that 

(r 2 - c d r + a) + qy q {2r - c d ) = 0 mod q 2 , 
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let u q = r + qy q mod q 2 . Then 

u 2 — c d u q + a = 0 mod p 2 . 

Now consider u such that 

u= Up mod p 2 , u = u q mod q 2 . 

Then u satisfies eq.(16). Therefore u satisfies eq.(15). This means that c G 
LARGE R sAK(n,e,a). Hence 

Reciprocal ALL(n,e, a) C LAR,GEf>sAK(n, e. a). 

Consequaently 

LARGE R sAK{n,e,a) = Reciprocal ALL(n,e, a). 


□ 


A. 3 Proof of Theorem 4 

From Theorem 6 and Lemma 5, the proposed encryption scheme is IND-CPA 
if if Redprocalo(n, e, a) and LARGE R sAK(n,e,a ) are indistinguishable. From 
the definition we have Reciprocalo(n, e, a ) = SMALL R sak(ti, e, a). 

B Flaw on the Semantic Security of Rabin-Paillier 

Let 

SMALL QR (n,e ) = {(n,e,s) | x = r 2e mod n 2 ,r G Q n } 
LARGEQ R (n,e) = {(n, e, x) \ x = r 2e mod n 2 ,r e Q n 2 } 
Rabin-Paillier encryption scheme is IND-CPA if and only if SM ALLq R (ti, e) 
and LARGEQ R (n,e) are indistinguishable [GMMV03, Proposition 9]. 

Galindo et al. further claimed that SMALLQ R (n,e) and LARGEQ R (n,e) 
are indistinguishable if 

- SMALL R sAp(n,e) and LARGE R sAp(n,e ) are indistinguishable (RSA- 
Paillier is IND-CPA under this condition) and 

- QR(n) and QNR(n, +) are indistinguishable, where 

QR(n) = {(n,x)\xG Q n } 

QNR{n,+ ) = |(n, x) \ x G Z*, (-) = l} 
in [GMMV03, Proposition 11]. 

However, this claim is wrong. In the proof, they say that D\ and D -2 are 
indistinguishable, where 

Dx = {x \ x = r e mod n 2 ,r G Q n } 

D 2 = {x\x = r e mod n 2 ,r G Z*}. 

However, we can distinguish them easily by computing (“). 
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Abstract. At Eurocrypt ’02 Cramer and Shoup [7] proposed a gen- 
eral paradigm to construct practical public-key cryptosystems secure 
against adaptive chosen-ciphertext attacks as well as several concrete 
examples. Among the others they presented a variant of Paillier’s [21] 
scheme achieving such a strong security requirement and for which two, 
independent, decryption mechanisms are allowed. In this paper we re- 
visit such scheme and show that by considering a different subgroup, 
one can obtain a different scheme (whose security can be proved with 
respect to a different mathematical assumption) that allows for inter- 
esting applications. In particular we show how to construct a perfectly 
hiding commitment schemes that allows for an on-line / off-line efficiency 
tradeoff. The scheme is computationally binding under the assumption 
that factoring is hard, thus improving on the previous construction by 
Catalano et al. [5] whose binding property was based on the assumption 
that inverting RSA[JV, N] (i.e. RSA with the public exponent set to N) 
is hard. 


1 Introduction 

Secrecy of communication is clearly one of the most important goal of cryp- 
tography, therefore many secret-key and public-key cryptosystems have been 
proposed to solve it. It is furthermore widely admitted that the main security 
notion to be achieved is the semantic security [11] (a.k.a. indistinguishability of 
ciphertexts). Actually, a semantically secure public- key cryptosystem is not only 
important for secret communications, but it is also a fundamental primitive for 
many more complex protocols such as electronic voting, electronic auctions and 
secret evaluation of functions to cite some of them. However, having a ’’secure” 
cryptosystem is in general not sufficient to construct efficient solution for the 
above mentioned problems. In general more specific properties, such as a kind of 
malleability, or even homomorphic relations, are very useful to obtain practical 
constructions. 

C.S. Laih (Ed.): ASIACRYPT 2003, LNCS 2894, pp. 37-54, 2003. 
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Roughly speaking, a public-key encryption scheme allows someone to encrypt 
a message for a unique recipient, the one who owns the corresponding private 
key (a.k.a. decryption key). But in practice, there is often a natural hierarchy, 
either for security or for safety reasons: the head of a group may want to be 
able to read any message sent to the members of the group, people may want to 
be able to recover the plaintexts even if they loose their private key. Therefore, 
it is highly desirable to provide schemes that enable to deal with intermediate 
scenarios, in which users are allowed to process their own data, but not those of 
other users. 

Moreover, in practice, there are many situations on which we need more than 
a plain encryption function. In particular, it is often useful to have a provably 
secure encryption primitive that allows to perform some computation on the 
plaintexts without revealing them explicitly. 

In this paper we propose a simple cryptosystem achieving both the above 
goals. 


1.1 Related Work 

El Gamal’s scheme [8] was the first scheme based on the discrete logarithm 
problem, more precisely on the Diffie-Hellman problem. Furthermore, it enjoys 
a multiplicative homomorphic property (as the RSA cryptosystem [22]) by which 
one can easily obtain an encryption of mi • m 2 by simply multiplying encryp- 
tions of mi and m 2 . This feature, however, is not very convenient for practical 
purposes. Indeed for many applications one may desire an efficient cryptosystem 
equipped with an additive homomorphic property, i.e. such that from encryptions 
of mi and m 2 one can obtain the encryption of mi + TO 2 by simply combining the 
corresponding ciphertexts. The first additively homomorphic cryptosystem was 
proposed by Goldwasser and Micali [11] in their seminal paper on probabilis- 
tic encryption. The Goldwasser-Micali’s scheme is based on quadratic residues. 
Given an RSA modulus N, to encrypt a bit b one chooses a pseudo-square 
g £ T.* n (i.e. a non quadratic residue having Jacobi symbol equal to 1) and 
computes g b r 2 mod N for random r £ T,* N . The security of the cryptosystem is 
based on the so-called quadratic residuosity assumption. To improve on band- 
width Benaloh and Fisher [1,6] proposed a generalization of Goldwasser-Micali 
cryptosystem based on the prime residuosity assumption. The basic idea of their 
scheme is to consider Z e (instead of Z 2 ) as underlying message space (where e is 
a small prime such that it divides <fi(N) but e 2 does not). To encrypt a message 
m one then sets g m r e mod N, where, in this case, g is a non e-residue (i.e. an 
element whose order is a multiple of e). The main drawback of this scheme how- 
ever is that decryption is rather inefficient as it requires some kind of exhaustive 
search to recover the message (and thus it imposes e to be very small). A more ef- 
ficient variant of the Benaloh-Fischer scheme was proposed in 1998 by Naccache 
and Stern [18], who observed that in order to make the decryption procedure 
faster one can consider a value e that is not prime but instead obtained as the 
product of several small primes ei, . . . , e n such that e divides <j>(N) but none of 
the ef’s does. 
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At the same time a completely different approach was proposed by Okamoto 
and Uchiyama [20] who suggested to work on the group Z* N where N = p 2 q. 
The resulting scheme is very efficient and allows for a pretty large bandwidth 
(they use Z p as underlying message space), but unfortunately it is vulnerable to 
a simple chosen-ciphertext attack that permits to factor the modulus. 

More recently Paillier [21] proposed a generalization of the Okamoto-Uchi- 
yama cryptosystem that works in the multiplicative group Z* N2 and allows to 
consider N as a standard RSA modulus. Details of Paillier’s scheme are presented 
below, but its basic idea is that to encrypt a message m £ Z N one selects a 
random value y in Z* N and sets the ciphertext as g m y N mod N' 2 (where g is an 
element whose order is a multiple of N in Z* N2 ). The semantic security of the 
scheme is proved with respect to the decisional N-th residuosity assumption: 
given a random value x €Z* n it is computationally infeasible to decide if there 
exists another element z in Z* N2 such that x = z N mod N 2 . Paillier’s scheme 
is more efficient (in terms of bandwidth) than all previously described schemes, 
moreover no adaptive chosen ciphertext attack recovering the factorization of 
the modulus is known. For these reasons Paillier’s proposal is the best solution 
presented so far in terms of additively homomorphic cryptosystems. 

At Eurocrypt’02 Cramer and Shoup [7] proposed a very general and beautiful 
methodology to obtain security against adaptive chosen-ciphertext attacks from 
a certain class of cryptosystems with some well-defined algebraic properties. 
In particular they showed how to modify Paillier’s original scheme in order to 
achieve such a strong security goal. The resulting variant, moreover, allows for a 
double decryption mechanism: one can decrypt either if the factorization of the 
modulus is available or if some specific discrete logarithm is known. 


1.2 Our Contribution 

As described above all the additively homomorphic cryptosystems known so far 
base their security on some assumption relying on deciding residuosity. 

In this paper we further investigate on the basic Cramer-Shoup variant and 
show that by slightly modifying the underlying structure of the scheme we ob- 
tain a new cryptosystem that allows for some more useful applications, main- 
taining, at the same time, all the “good” properties and with security based on 
a different (non residuosity-related) decisional assumption 1 . Our new pub lie- key 
encryption scheme, as the proposal in [7] allows for a double decryption mech- 
anism based either on the factorization of the modulus, or on the knowledge of 
a discrete logarithm. The former trapdoor can be seen as the master one, while 
the latter is a local one: the knowledge of a discrete logarithm helps to decrypt 
ciphertexts which have been encrypted with a specific key only, while the fac- 
torization of the modulus helps to decrypt any ciphertext, whatever the key is 
(as long as the underlying modular group remains the same). The basic version 

1 Here, by non-residuosity related assumption, we mean a decisional assumption which 
claims something different from the intractability of deciding memberships in a high- 

residues set. 
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of our scheme enjoys an additive homomorphic property (similarly to the Pail- 
lier’s scheme [21]). Furthermore, it is semantically secure in the standard model, 
based on the decisional Diffie-Hellman assumption modulo a square composite 
number. Thus our proposal is the first additively homomorphic cryptosystem 
that can be proved semantically secure with respect to a non residuosity-related 
decisional assumption. 

We emphasize that by applying the Cramer-Shoup [7] general methodology, 
our scheme can be proved secure against adaptive chosen-ciphertext attacks in 
the standard model. 

Interestingly enough, given the master key, a kind of gap group [19] appears 
in which the computational Diffie-Hellman problem is hard, while the corre- 
sponding decisional problem turns out to be easy — thanks to the easiness of 
computing the partial discrete logarithm problem (see below). This is the first 
gap group structure known not based on elliptic curves and pairings. 

As an additional result we show how to construct a new, efficient, perfectly 
hiding / computationally binding commitment scheme based on factoring. A 
useful property of such a commitment scheme is that it allows for an on-line/off- 
line efficiency trade-off, by which, one may perform the most expensive part of 
the work, before knowing the message to commit to. To our knowledge no other 
trapdoor commitment scheme with this property, based on factoring, is known. 

2 Preliminaries 

2.1 Definitions and Notations 

Let N = pq be a safe-prime modulus, meaning with this that p and q are primes 
of the form p = 2p' + 1 and q = 2q' + 1, where p' and q' are also primes. In the 
remaining of this paper, we denote by SP{1) the sets of safe prime numbers of 
length l. We consider G = QR the cyclic group of quadratic residues modulo 
N 2 . We have ord(G) = \(N 2 )/2 = pp'qq' = N\(N)/2, with A (N) = 2p'q'. The 
maximal order of an element in this group is NX(N)/2, and every element of 
order N is of the form a = (1 + kN). 

The latter statement is not so trivial, but it will be very useful rewritten as 
follows: there are exactly N elements of order N in Z^ 2 , and they are all of the 
form a = 1 + kN. Furthermore, since N is odd, if one denotes by t the inverse 
of 2 modulo N: 

a = 1 + kN = (1 + tkN) 2 mod N 2 . 

Therefore, they are all in G too. 

2.2 The Partial Discrete Logarithm Problem 

Let g be an element of maximal order in G. For simplicity, we assume that 
gH N ) mod N 2 = (1 + N) mod N 2 , that is k = 1. Given g and h = g a mod N 2 
(for some a € [l,ord(G)]), Paillier [21] defined the Partial Discrete Logarithm 
Problem as the computational problem of computing a mod N. We assume this 
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problem is difficult (without the factorization of the modulus), as stated in the 
following assumption. 

Assumption 1 (Partial Discrete Logarithm over Z^ 2 ). For every prob- 
abilistic polynomial time algorithm A, there exists a negligible function negl() 
such that for sufficiently large l 




p, q £- SV(£/2)-, A = pq; 

Pr 

A(N, g,h) = a mod A 

g ■£- G; a £- [1, ord(G)]; 
h = g a mod A 2 ; 


Moreover Paillier proved that, when the factorization of the modulus is avail- 
able, such a problem is efficiently solvable. 

Theorem 2 (See [21]). Let N be a composite modulus product of two large 
primes. Let G be the cyclic group of quadratic residues modulo A 2 . The Partial 
Discrete Logarithm problem (in G) cannot be harder than factoring. 

Proof. It is easy to see that we can solve the PDL problem if the factorization 
of A is provided, by using the following algorithm, 

1. Compute C = mod A 2 = (1 + A)° mod A 2 = (1 + aN) mod A 2 ; 

2. Return the integer (C — 1 mod A 2 )/A. 

□ 


2.3 Details of Paillier’s Cryptosystem 

Let A = pq be an RSA modulus and g an element having order aN ( a > 1) in 
the multiplicative group Z* N2 - To encrypt a message m £ Zjv Paillier proposed 
the following mechanism 


V g (m,y) = g m y N mod N 2 
for some random y £ T.* N and he proved that: 

— V g is a bijection between Zjv x Z* v and Z'^ 2 . 

— V g is a trapdoor function equivalent to RSA[N, A]. 

— The above encryption scheme is semantically secure against chosen-plaintext 
attack under the A-residuosity assumption (see [21] for details). 

Since V g is a bijection, given g , for an element w £ Z* y2 there exists an unique 
pair (c, z) £ T.n x T.* n such that w = g c z N mod A 2 . We say that c is the class of 
w relative to g. Informally, (see [21] for more details) Paillier defined the Com- 
putational Composite Residuosity Class Problem as the problem of computing c 
given w and assumed that it is hard to solve. 
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2.4 The “Lite” Cramer-Shoup Variant 

Let A be a product of two safe primes p and q and g an element of order A (A) 
in 7j* n2 . Such a g can be found by randomly selecting a p € and setting g = 
—p 2N . It is not hard to show that this results in a generator with overwhelming 
probability (see [7] for more details). Then we produce the remaining part of 
the public key h as follows. Randomly choose a secret key z £ [0, iV 2 /2] and set 
h = g z mod N 2 . (Note that for the purposes of this paper, we are considering a 
very simplified version of the Cramer-Shoup scheme, achieving semantic security 
only with respect to a passive adversary. The reader is referred to [7] for the 
complete solution achieving full security properties). 

To encrypt a message m £ Z N one chooses a random value r 6 [0, TV/ 4] 
and computes the ciphertext ( A,B ) where A = g r mod A 2 and B = h r ( 1 + 
mN ) mod N 2 . 

Conversely to decrypt a ciphertext ( A , B) two methods are possible: either 
by computing (1 + mA) as B/A z mod N 2 or by using the decryption procedure 
described by Paillier [21] for his scheme. Note that for this second mechanism 
to work, knowing the value of B is sufficient. Indeed rn can be retrieved from 
B = h T ( 1 + to A) mod N 2 as follows. We denote by 7 r the inverse of A (TV) mod N 
(note that gcd(TV, A(A)) = 1): 

m = BHN) ~^ m ° d ^ ■ 7T (mod N) since B X W = | + m\(N)N 

2.5 The Decisional Diffie-Hellman Problem over Z^ 2 

Informally speaking, the Decisional Diffie-Hellman Problem consists, when given 
two random Diffie-Hellman “public keys” A = g a and B = g b , in distinguishing 
the resulting shared key g ab from a random value (see [11] for the definition 
of computational indistinguishability). Of course, this is to be done without 
possessing neither any secret keys a, b nor the factorization of the modulus. 

We thus state the Decisional Diffie-Hellman Assumption (DDH) over a squa- 
red composite modulus of the form N = pq. 

Assumption 3 (DDH Assumption over Z* N2 ). For every probabilistic poly- 
nomial time algorithm A, there exists a negligible function negl() such that for 
sufficiently large l 

p,q <— SV(l/2)\ N = pq-, 
g <- G; x, y, z <- [1, ord(G)]; . 

X = g x mod TV 2 ; Y = g y mod A 2 ; - - = negl(^). 

Z 0 = g z mod TV 2 ; Z\ = g xy mod A 2 ; 2 

b {0, 1}; 

The Decisional Diffie-Hellman Assumption is related to the regular Diffie- 
Hellman assumption that says that given g a and g b one cannot compute g ab in 
polynomial time. Clearly this assumption relies on the hardness of computing 


A(N, X, Y, 

Zb mod N) = b 
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discrete logs. Reductions in the inverse direction are not known. Interestingly 
enough, if the factorization of the modulus is available solving the decisional 
Diffie-Hellman problem (over Z jV 2 j turns out to be easy. 

Theorem 4 . Let N be a composite modulus product of two large primes. Let 
G be the cyclic group of quadratic residues modulo N 2 . The decisional Diffie- 
Hellman problem (in G) cannot be harder than factoring. 

Proof. Assume the factorization of the modulus is provided, we are given a 
challenge triplet Q = (g a ,g b ,g c ) and we have to determine if it is a Diffie- 
Hellman triplet or not. Our strategy is as follows. Using the factorization of the 
modulus we compute a mod N, b mod N and c mod N, then we check whether 
the following relation holds: 

ab = c mod N. ( 1 ) 

Note that if Q is a Diffie-Hellman triplet, the relation (1) is in fact satisfied 
with probability 1. On the other hand if Q is not a Diffie-Hellman triplet, the 
probability that the relation (1) is verified is: 

Pr[a6 = c mod N A ab^ c mod p'q'N], 

Since a, b and c are random elements in Z* y2 they can be written as a = ai + azN, 
b = bi + &2-N and c = c\ + C2N where ai, a 2, 61, 62, fU C2 £ Z^. Thus denoting 
6 = 01261 + a 162 + O'ffiiN the above probability becomes 


Pr[ai6i = ci mod N A 8 ^ C2 mod (f(N)\ 

= Pr[ai&i = ci mod N] x Pr[<5 ^ C 2 mod <j>(N)]. 


The probability that a^bj = Ci mod N for randomly chosen ai, b\ and Ci is 
clearly On the other hand the probability that the event 6 ^ C2 mod <j>(N) 
happens is bounded by 1 — • I n total the above probability can be bounded 


b y n ~ 

1 - 1 


and thus our strategy succeeds with probability approximately 

□ 


Remark 5. A Gap-Group is a group in which a computational problem is hard, 
but the corresponding decisional one is “easy”. In other words, the computa- 
tional and the decisional problems are strictly separated in such a group. This 
implies that the corresponding Gap-Problem [19] is computationally hard. The 
first example of gap group was proposed by Joux and Nguyen in [15]. The above 
result shows that, when the factorization of N is provided, Z^ 2 can be seen as 
a some kind of gap group for the Diffie-Hellman problem. 


3 The Scheme 

Our scheme can be seen as an additively homomorphic variant of the well-known 
El Gamal cryptosystem [8]. Let h and g be two elements of maximal order in 
G. Note that, if h is computed as g x , where x € R [1, A(iV 2 )], then x is coprime 
with ord(G) with high probability, and thus h is of maximal order. The message 
space here is Z N - 
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Key Generation - Choose a random element a £ Z^ 2 , a random value a £ 
[l,ord(G)] and set g = a 2 mod N 2 and h = g a mod N 2 . The public key is 
given by the triplet (N, g. h) while the corresponding secret key is a. 

Encrypt - Given a message m gZn, a random pad r is chosen uniformly and 
at random in Z N 2 the ciphertext (A, B) is computed as 

A = g r mod N 2 B = h r ( 1 + mN) mod N 2 . 


First Decryption Procedure - Knowing a, one can compute m as follows 
B/(A a ) - 1 mod N 2 

171 ~ n ' 

Alternate Decryption Procedure - If the factorization of the modulus is 
provided, one can compute a mod N and r mod N as seen in the previous 
section. Let ar mod ord(G) = 71 + 72 A, thus 71 = ar mod N is efficiently 
computable. Note that 


D = 



(g ar (l + mN)) x{N) 

5 7iA(JV) 


1 + m\(N)N mod N 2 . 


So, still denoting by tt the inverse of A (N) in h* N , one can compute m 


(mod N). 


Remark 6. Note that even though the two described decryption procedures pro- 
duce the same result when applied to correctly generated ciphertext they are 
not equivalent from a computational point of view. Indeed knowing the discrete 
logarithm a of h with respect to the base g in Z* N2 allows to decrypt any valid 
ciphertext generated using g and h as underlying public key. More precisely 
knowledge of a allows to decrypt any ciphertext generated with respect of a 
public key in {N} x Q x H where Q x H is the set of the couples ( g , h) such 
that h = g a mod N 2 . On the other hand knowing the factorization of the mod- 
ulus allows to decrypt ciphertexts generated with respect to any public key in 
{N} x G x G. 


Remark 7. Another interesting comparison is regarding the invalid (that is, not 
correctly generated) ciphertexts. Namely, if a ciphertext is not correctly gener- 
ated, the fault can be detected when decrypting using the secret discrete log- 
arithm. On the other hand, however, if the ciphertext is decrypted using the 
factorization of the modulus, the resulting - invalid - plaintext cannot be rec- 
ognized as such. To illustrate this, consider the following example. Let (A, B) 
a given ciphertext, with A £ G. Since g is a generator of G there exists r, and 
thus K, m, such that: 


A = g r where r £ [1, ord(G)], 
B = h r (K + mN) where K,m £ Zjv- 
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If decrypted with the discrete logarithm trapdoor, this leads to a failure, 
since B/A a differs from 1 mod TV. Then, the incorrect encryption is detected. 

Conversely if one decrypts using the factorization, one gets a mod TV and 
r mod TV and thus (let us denote ar = 71 + 72 TV): 

/ R \ 

D = J = g°rHN)-^W) { K + rnNfW = (K + mN ) x W mod TV 2 

= K X + XK x 'mN = K X + A(KT“ 1 mod TV)mTV (mod TV 2 ) 

= 1 + aN + mLXN = 1 + (an + mL mod N)X(N)N (mod TV) 2 , 

where one can write K X( ~ N ^ = 1 + aN mod TV 2 , L = LT _1 mod N and where n 
is the inverse of A mod N. Thus, the output plaintext is m! = ccA -1 + mK -1 
mod N. 


4 Security Requirements 

4.1 One-Wayness 

In this section we prove that the one-wayness of the scheme presented in section 3 
can be related to the Lift Diffie-Hellman problem that we are about to define. 

Let g, X, Y, Z G G where X = g x mod N 2 , Y = g v mod N 2 and Z = 
g xy mod N 2 . The well known (computational) Diffie-Hellman (modulo N 2 ) asks 
to compute Z when X,Y,g and N are provided. Similarly we define the Lift 
Diffie-Hellman problem as the one to compute Z when X, Y, g, N and Z mod N 
are given. Of course it cannot be harder than the Computational Diffie-Hellman 
problem, but we don’t know if the two problems are actually equivalent. 


Definition 8 (Lift Diffie-Hellman Problem). We say that the Lift Diffie- 
Hellman computational problem is hard if, for every probabilistic polynomial time 
algorithm A, there exists a negligible function negl() such that for sufficiently 
large £ 



p,q <— SP(£/2); TV = pq- 

A(N, X, Y, Z mod N) 

g G; x, y «— [1, ord(G)]; 

= Z (mod TV 2 ) 

X = g x mod TV 2 ; Y = g v mod TV 2 ; 


Z = g xy mod TV 2 ; 


= negl(^). 


Theorem 9 (One-wayness). The scheme presented in section 3, is one-way 
if and only if the Lift Diffie-Hellman problem is hard. 

Proof. For g,h G G, let ( N,g,h ) be a public key, and (A. B) = (g r ,h r (l + 
mN)) mod N 2 an encryption of a random message rn. If one can efficiently solve 
the Lift Diffie-Hellman problem then, on input X = A = g r , Y = h and 2 = 
h r (l+mN) mod N = h r mod N, one can compute the quantity Z = h r mod N 2 
from which retrieving m is trivial. 

Conversely if one can correctly extract m from a correctly generated ci- 
phertext, then such a capability can be used to solve the Lift Diffie-Hellman 
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problem as follows. Assume we are given g, X = g x mod N 2 , Y = g y mod N 2 
and 2 = g xy mod N. For a randomly chosen message m, we generate a ci- 
phertext (A,B) as follows: we set the public key ( N,g,h = Y), A = X and 
B = z( 1 + mN) mod N 2 . Our goal is to retrieve Z = g xy mod N 2 . 

Let M be the extracted plaintext corresponding to ( A,B ). We have by defi- 
nition: 

B=Z( 1 + MN) =Z + ZMN = Z+{Z mod N)MN = Z + zMN mod N 2 . 

On the other hand, from the construction of B, it follows that 2 + zrriN = Z + 
zMN mod N 2 . Thus, we can efficiently compute Z = z(l + (m — M)N) mod N 2 . 

□ 

With the following theorem we make explicit the relation existing between 
the lift Difhe-Hellman problem and the partial Discrete Logarithm problem. 

Theorem 10. If the Partial Discrete Logarithm problem is hard then so is the 
Lift Diffie- Heilman problem. 

Proof. The proof goes by a standard reduction argument. Assume we are given 
an oracle O for the lift Difhe-Hellman problem that on input a triplet of the form 
(X, Y, Z) = ( g x mod N 2 ,g v mod N 2 ,g xy mod N) returns the value g xy mod N 2 
with some non negligible probability e. Our goal is to use the provided oracle 
to compute the partial discrete logarithm of a given challenge h = g ai + a ' iN in 
Z^ 2 with respect to the base g (we assume g is a generator of the group G of 
quadratic residues in Z^ 2 ). Since g is a generator of G any quadratic residue c 
can be written as c = g r i+ r ^M N ) f or some r% e and r% € Zjv- Moreover 

gM N )/ 2 = (1 + aN) for some a g. Z N . 

Now we set X = h and Y = g ri ( 1 + r%N) mod N 2 where rq is a random 
value in [0 . . . (N + l)/4], and r 2 a random element in Z N . Note that Y is not 
uniformly distributed over G, but its distribution is statistically close to uniform 
(the statistical difference is of order 0(2“l p l)). Finally we set Z = X ri mod N. 
Observe that 

Y = g ri ( 1 + 7*2 AT) = < 7 ri (l + ar 2 a~ x N) = (mod N ) 2 

where (3 = or 1 mod N. 

Now we query the oracle O on input (X. Y, Z) and with probability e it will 
provide the correct answer Z' such that 

Z' = W/2) mod N 2 = x r lg a lP r*X(N )/ 2 mod N 2 

Thus 

= g a^r 2 \{N)/2 mod = Q + mod N 2 

we can get eq easily. 


from which 
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In [21] Paillier noted that when the order of g is maximal, and N is the prod- 
uct of two safe primes, then the partial discrete logarithm problem is equivalent 
to the problem of computing the composite residuosity class. This equivalence 
result can easily be extended to the case on which g is a generator of the group 
of quadratic residues modulo N 2 . This implies that, in our case, the Lift DH 
problem is at least as hard as the computational class problem introduced by 
Paillier. 

4.2 Semantic Security 

Theorem 11 (Semantic Security). If Decisional Diffie-Hellman Assumption 
in Z^- 2 holds, then the scheme presented in section 3, is semantically secure. 

Proof. For the sake of contradiction assume the scheme is not semantically se- 
cure. This means that there is a polynomial time distinguisher A that can break 
semantic security. Our goal then is, given a quadruple Q = (g,g a ,g b ,g c ), to use 
A to decide if it is a Diffie-Hellman or a random one (i.e. if c= ab mod ord(G) 
or not). The public key is first set as ( N,g,h ) where h = g°: then once the 
adversary has chosen the messages mo and mi, we flip a bit d and we encrypt 
m d as follows: F(m^) = ( A , B ) where A = g b and B = g c ( 1 + m d N) mod N 2 . 

Clearly if Q is a Diffie-Hellman quadruple, the above is a valid encryption 
of md and A will give the correct response with non negligible advantage. On 
the other hand, if Q is not a Diffie-Hellman quadruple, we claim that even a 
polynomially unbounded adversary gains no information about rn d from E(m d ) 
in a strong information-theoretic sense. 

Let c = ab + r mod ord(G), we can note that r is random and uniformly 
distributed in [1, ord(G)] and can be written as n + r 2 \(N) /2, with n, r 2 € Zj 
The information received by the adversary (together with the public key) is of 
the form 

g b mod N 2 , g ab+r ( 1 + m d N) mod N 2 

Let us concentrate on the second value (for the sake of simplicity let us assume 
that gW / 2 = (1 + N) mod N 2 ). 

g ab+r ( 1 + m d N) = g ab g ri g r * x{N)J2 { 1 + m d N ) mod N 2 
= g ab+ri (1 + N ) r 2 (1 + m d N) mod N 2 
= g ab+ri (1 + (rg + m d )N) mod N 2 . 

Note that, in the above relation, r 2 hides rn d perfectly and thus A cannot 
guess d better than at random. 

5 A First Application: Trapdoor Commitment 

5.1 A New On-Line/Off-Line Trapdoor Commitment Scheme 

In this section we present a new trapdoor commitment scheme based on the 
encryption function proposed in section 3. The security of the scheme can be 
proven to be equivalent to the hardness of factoring. 
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As sketched in the introduction an useful property of the proposed commit- 
ment function is that it allows for an on-line/off-line efficiency trade off, meaning 
with this that it becomes very efficient to compute when a preprocessing stage 
is allowed. On-line/off-line trapdoor commitment schemes were first proposed 
by [5] . In particular, to commit to a message m the sender has to compute only 
two modular multiplications (using a previously computed value). Such a value 
is completely independent of to and for this reason can be computed before even 
knowing to which message to commit to. Furthermore we point out that such 
a preprocessing step requires a single modular exponentiation. Thus even when 
the precomputation time is considered, our new scheme is basically as efficient 
as all the other trapdoor commitment schemes known in the literature. 

5.2 Trapdoor Commitments 

A trapdoor commitment scheme (a.k.a. chameleon commitment [16]) is a func- 
tion with associated a pair of matching public and private keys (the latter also 
called the trapdoor of the commitment). The main property we want from such 
a function is collision-resistance: unless one knows the trapdoor, it is infeasible 
to find two inputs that map to the same value. On the other hand, knowledge 
of the trapdoor suffices to find collisions easily. 

More formally, a trapdoor commitment scheme is a triplet (JC,C, V), where: 

— /C is a randomized key generation algorithm. On input a security parameter 
k it outputs a pair of public and private keys: lC(l k ) = ( pk,sk ). 

— The function C is the commitment function which depends on PK 

C : PK x M x R — > C 

where PK, M, R, C are the public key, message, randomness and committed 
values spaces respectively. 

— The function V is the collision-finding function, 

V : SK xMxRxCxM — 4 R 

on input the trapdoor information, a committed value (with its inputs) and 
a message it finds the corresponding random string. That is, given to, r and 
c = C(pk, to, r), for any message m' we have T>(sk, to, r, c, to') = r' such that 
c = C(pk,m' ,r'). 

We require that 

1. ( K,C,T > ) are functions computable in polynomial time. 

2. No efficient algorithm, taking as input the public key, should be able to 
find, with non negligible probability, two messages to ^ m' and two random 
values r ^ r' such that C(pk,m,r) = C(pk,m’ ,r'). 

3. For any message to, the distribution {c = C(pk,m,r)} reR has to be indis- 
tinguishable from uniform. 

Note that the term “indistinguishable” above can be intended as usual in three 
ways: either the distributions are identical, or they are statistically indistinguish- 
able or computationally indistinguishable (see [12]). 
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5.3 Previous Work on Trapdoor Commitments 

The notion of trapdoor commitments was first proposed by Brassard, Chaum 
and Crepeau [4] in the context of zero-knowledge arguments. It is well known 
that trapdoor commitments can be based on the existence of claw-free trapdoor 
permutations [13,14]. 

A specific implementation based on factoring was presented in [13,14] and 
it requires a number of modular squarings in 7? N which is proportional to the 
length of the committed message. 

A famous scheme based on the hardness of computing discrete logarithms 
has been presented by Boyar et al. [3]. This scheme requires a full modular 
exponentiation (or alternatively, once again, a number of multiplications which 
is proportional to the length of the message) . 

The first commitment scheme with the on-line /off-line property was proposed 
by [5] . The security of such scheme is based on the hardness of inverting the RS A 
function (with public exponent set to N). 

5.4 Our Commitment Scheme 

Key Generation — The key generation algorithm, on input a security param- 
eter £ produces a modulus N product of two safe primes of size £/ 2 together 
with a square h of maximal order in <G. The public key is given by N and h. The 
factorization of the modulus is the private key. 

Committing a Message — To commit to a message m € Zjy the sender chooses 
r €r ^jva(jv )/2 an d sets 

C(r, to) = h r ( 1 + mN) mod N 2 . 

Then he sends B to the receiver. Notice that the sender can compute h r in 
advance and without needing to know to. Once to is provided, only two more 
multiplications are required to commit. 

Remark 12. As already pointed out in [5] we notice that any commitment C can 
be modified in order to obtain some on-line/off-line efficiency property. As a 
matter of fact such a “modified” commitment scheme C would work as follows: 
during the off-line stage the sender commits to a random value s with randomness 
r using C as underlying commitment function. Let a =C(s, r ) be the commitment 
value. Once to is known the sender commits to it by simply sending a and 
c = to ® s. The only problem with this approach is that it increases the length of 
the commitment. Here we denote by on-line/off-line commitment schemes those 
which achieve such an efficiency trade-off, without increasing the length of the 
committed value. 

Theorem 13 (Security). Under the assumption that factoring safe-prime mo- 
duli is hard the above function C is a perfectly hiding trapdoor commitment 
scheme. 
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Proof. First notice that, for any to, if r is uniformly distributed in ’Zn\(n)/ 2 , 
then C(m,r) is uniformly distributed in G (this is because any 1 + rnN is in G, 
and h r is uniformly distributed in G, since h is a generator.) 

Now given a commitment C(m,r) £ G together with the corresponding 
( m,r ), knowing the factorization of the modulus, one can find collisions, for 
any message m' as follows. Let k be such that h x( - N ^ = (1 + kN) mod N 2 , and d 
the inverse of k in 7S N . Thus we can write 

C(m,r) = h r ( 1 + mN) = h r ( 1 + kdmN) mod N 2 = h r+dmMN) mod N 2 . 

This implies that we can find the required r' as follows 

r' = r + (m - m')dX(N) mod NX(N)/2. 

Finally to prove security we assume to have an algorithm A that can find, 
on input ( N,h ), two couples (m,r) and (m! ,r') such that C(m,r ) = C(m',r'). 
Note that if r = r' this implies that m = m! , thus we will assume that r / r' . 
From the two given couples one can write: 

h r ( 1 + mN) = h r '( 1 + m'N) mod N 2 

and thus, letting A r = r — r' and A rn = m! —m, 

h Ar = (1 + A m N) mod N 2 . 

Since h has order X(N)N/2 and (1 + A m N) has order (at most) N, this means 
that A r is a multiple of X(N)/2. This is enough to factor [17]. □ 


5.5 Application to On-Line/Off-Line Signatures 

On-line/Off-line signatures were introduced by Even, Goldreich and Micali [9]. 
The basic idea is to split the signature generation process in two stages: the first 
one, more expensive, is computed off-line before the message to sign is known. 
The second, more efficient, phase is performed once the message is available. The 
proposed method, however, is not very practical as it increases the length of the 
signature by a quadratic factor. More recently Shamir and Taumann [23] intro- 
duced a new paradigm — as well as several efficient constructions — based on 
chameleon commitments, which performs the above conversion more efficiently. 
Moreover, this technique, improves on the security of the underlying signature 
scheme which is used to sign only random strings chosen off-line by the signer. 

The basic idea is as follows. During the off-line phase the signer computes 
a chameleon commitment function on input a random message m' and random 
string r' and signs the resulting value H(rn ! , r'). Once the message to to sign is 
known, the signer use his knowledge of the trapdoor key to compute a value r 
such that H(m,r) = H{m',r'). 

Using our new commitment scheme one can obtain a simple on-line/off-line 
signature scheme based on factoring. 
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6 Variants and Other Applications 

6.1 A Variant of the Cryptosystem 

We propose a variant of our scheme in which the randomness is chosen in a 
smaller set, namely in Zjy rather than in Z N i. Note, however, that we still 
consider an element g of maximal order in G. To encrypt a message rri g Z,y, 
the operations to perform remain the same: 

A = g r mod A 2 , B = h r ( 1 + mN) mod A 2 

With this variant, the decryption procedure that makes use of the factoriza- 
tion is simplified, and in particular allows to detect some incorrectly generated 
ciphertext. More precisely, it becomes possible to check whether the underlying 
random exponent r belongs to the correct interval: before decrypting a cipher- 
text, the receiver first recover p = log g A mod A using the factorization of the 
modulus; after that, it checks if A = g p mod N 2 holds. If the equality does not 
hold, it rejects. 

Of course, if the ciphertext is correctly generated, that is , r gZ n , the recov- 
ered value p is actually r itself, and thus the equality holds. Whereas if A is not 
correctly generated, the relation A = g p holds with negligible probability only. 

Note that decrypting such a ciphertext using the first decryption procedure 
(i.e., with the discrete logarithm of h to the base g), the decryption never “fail” 
at this step, simply because the receiver do not recover the value of r, and cannot 
check its range. 

The decryption procedure continues as follows. If using the discrete logarithm 
trapdoor, the receiver computes h r as A° mod A 2 ; if using the factorization of A, 
he computes h r as h p mod N 2 . Then in both cases, one checks whether B/h r = 1 
or not, and if yes, one recovers the plaintext. 


6.2 The Small Diffie-Hellman Problem over 

We introduce a new variant of the Diffie-Hellman Problem. In a nutshell, when 
given (A,B) = (g a ,g b ) where b is small, i.e. b g Z N , the computational (resp., 
decisional) problem consists in computing (resp., distinguishing from a random 
element in G) the value C = g ab mod N 2 . 

We thus state the Small Decisional Diffie-Hellman Assumption (S-DDH) 
over a squared composite modulus of the form A = pq. 


Assumption 14 (Small-DDH Assumption over Z^ r2 ). For every proba- 
bilistic polynomial time algorithm A, there exists a negligible function negl() 
such that for sufficiently large l 


A(N,X,Y, 

Z b mod N) = b 


p,q 4- SV(l/2)-, N = pq- 
g 4— G;x, z 4- [1, ord(G)]; y 4- Z N ; 
X = g x mod A 2 ; Y = g y mod A 2 ; 
Z 0 = g z mod N 2 -,Z 1= g xy mod A 2 ; 
b 4- { 0 , 1 }; 


Pr 


- = negl(f) 
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One easily proves the following two theorems: 

Theorem 15. The Small (Computational) Diffie-Hellman Problem cannot be 
harder than factoring. 

Theorem 16. The above variant of our cryptosystem is semantically secure 
under the Small Decisional Diffie-Hellman assumption. 

Indeed, knowing the factorization of N allows to fully retrieve the second 
exponent, thus making the computational problem trivial. The proof for second 
theorem is similar to the proof for the basic scheme (theorem 11). 

6.3 A New Hierarchical Encryption Scheme 

A hierarchical encryption scheme [10] can be simply based on our scheme by 
providing the authority with the master key (the factorization of the modulus) 
and by giving to each player a local key (an El Gamal-like private key.) 

In such a scheme, anybody is able to encrypt a message for a particular 
player, in such way that only this player and the authority are able to decrypt 
properly. Moreover, by randomly choosing two elements g, h and encrypting 
with respect to such a “key”, it is possible to design ciphertexts that can be 
decrypted by nobody but the authority. 

Further work might consists in investigate such possibilities in the contexts 
of electronic voting or digital auctions. 

7 Conclusion 

This paper is a further investigation within the family of homomorphic cryptosys- 
tems modulo a squared composite number. As a first contribution, we provided 
a new variant of the Cramer-Shoup scheme whose main feature is to offer two 
different decryption procedures, based on two different trapdoors. In particular, 
this scheme is the first additively homomorphic cryptosystem whose security is 
not based on a residuosity-related assumption. Derived from this scheme is a 
new trapdoor commitment, whose security provably relies on the factorization 
problem. This commitment scheme allows for a very interesting on-line/off-line 
efficiency trade-off, without increasing the length of the commitment. 
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A Details for Theorem 10 


In that theorem we use the fact that the distribution of the oracle input is 
statistically close from the uniform one. Here we prove this fact with more details. 

More formally, we want to evaluate the statistical distance 6 between the two 
following distributions: 

|.9 n +r 2 A /2|(r l .r 2 ) e Z A/2 x Z^jand |c/ ri ( 1 + r 2 IV)|(ri,r 2 ) € Zv+i x Zjvj 

First we note that the map Z A2 x Zjv — » G : (ci, C2) c = g Cl + C2 V 2 mod N 2 
is a bijection. Thus we have to compute: 


S = y\ Pr Ln+iW^J _ Pr \g r '(l + r 2 N) = c}\ 

riGB^A/2 L j ri£RZ(N+i)/4 L j 

viErZn t 2 £rZn 

= $J ['■' = <h] I’i; h = C 2 ]- Pr V 1 (1 + r 2 N) = cl 

“T r*iGR^A/2 r2ER^N £ R^<(JV+l)/4 L J 

cG(br 1 r 2 GRZjv 1 

= T x Tf _ Pr IV " 1 (1 + r 2 N) = cl 

~L A N riGR^(jv+ 1 )/4 L J 


Denoting gr A / 2 = 1 + a./V mod N 2 and /? = a -1 mod IV, we have g ri ( 1 + 
r 2 IV) = r/ ri+r2/3A / 2 mod TV 2 . Then we observe that for A/2 < n < ^±1, we have 
the following “collision” : 

g r 1+ r 2 0X/2 = 5 ( ri -A/2)+(r 2 /3+l)A/2 (mod ^2 


Hence, two cases appear when summing up (of course, the probabilities that 
r 2 or r 2 /3 or r 2 /3 + 1 equals a given c 2 are all 1 /IV) : 


r 2 0 \/ 2 _ C1+C2A/2I _ 


‘ jv+i x n if 0 < c < jV ^" 1 2 

■ JV+T X N ff ~A f S c < \ 
Consequently, we gets (recall that | = ^j 2 ): 


Pr [ 9 r> 


J = r+I A_ 


/A p + gA 


4 ATV JV(JV + 1) 


A N 7V(7V+1) 


This is easily seen negligible. 
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Abstract. We estimate the yield of the number field sieve factoring al- 
gorithm when applied to the 1024-bit composite integer RSA-1024 and 
the parameters as proposed in the draft version [17] of the TWIRL hard- 
ware factoring device [18]. We present the details behind the resulting 
improved parameter choices from [18]. 

Keywords: 1024-bit RSA, factorization, number field sieve, TWIRL 


1 Introduction 

RSA with 1024-bit moduli is widely used. It is unlikely that breaking a single 
1024-bit RSA modulus will change much, just as repeatedly breaking DES had, 
for obvious economic reasons, limited effect on legacy applications. Nevertheless, 
despite the possible lack of immediate practical relevance, in cryptographic cir- 
cles there is wide-spread interest in the question how hard it would be to factor 
a 1024-bit RSA modulus (cf. [2], [12]). 

At the Asiacrypt 2002 rump session an innovative hardware device, ‘TWIRL’, 
was presented that would be able to factor 1024-bit RSA moduli at a much lower 
cost than before. The work reported here was inspired by that presentation and 
the draft of TWIRL [17]. The draft presents cost estimates for a number field 
sieve (NFS) factorization of a 1024-bit composite that rely on extrapolations of 
parameter settings used for a 512-bit NFS factorization (cf. Section 4). To our 

C.S. Laih (Ed.): ASIACRYPT 2003, LNCS 2894, pp. 55-74, 2003. 
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knowledge the accuracy of long range extrapolation from 512 to 1024 bit param- 
eter selection had never been properly tested. Our goal was therefore to do a 
‘reality check’ of the choices made in [17]. Given the many uncertainties involved 
in the factoring process we did not expect conclusive results but hoped to get an 
indication if the proposed parameters looked ‘reasonable’ or not. As it turned 
out, our results suggested that the choices were over-optimistic. Our approach 
was subsequently adopted by the authors of TWIRL. It allowed them to derive 
realistic parameters and to fine-tune the improved design [18]. The additional 
cost of the new choices is offset, approximately, by the greater efficiency of the 
new design, so that the overall cost estimates of [17] and [18] are similar. The 
details of the parameter settings from [18] are presented in Appendix B. 

A sketch of our approach follows. We assume elementary background on 
the NFS (cf. Section 2). We selected the number RSA-1024 from [16] as a rep- 
resentative 1024-bit RSA modulus. This choice was supported by experiments 
that did not reveal significant differences between RSA-1024 and several other 
1024-bit products of randomly selected 512-bit primes. We followed the search 
strategy from [13], [14], [15] to select number fields of degrees 5, 6, 7, 8, and 9 
for RSA-1024, but we did not spend as much time on the search as we would 
have done for an actual factoring attempt. The resulting number fields can thus 
be regarded as somewhat worse than the number fields that would result from 
a more extensive search and the resulting estimates are on the pessimistic side. 
The better polynomial selection program of Jens Franke and Thorsten Kleinjung 
can handle only degree 5. It was used in Appendix B. 

For all these number fields and a wide range of factor base sizes and sieving 
regions (including the choices made in [17]) we estimated the expected number of 
relations using numerical approximation of the applicable smoothness and semi- 
smoothness probabilities. Unfortunately, there is no a priori way to evaluate how 
close the resulting estimates are to the actual yield. To validate the estimates, 
we therefore ran extensive (semi-)smoothness tests on the actual numbers that 
would appear in an NFS factoring attempt, restricted to the most promising 
degrees and subsets of the sieving regions. We used the relatively slow test de- 
scribed in Section 3. This posed no problems because our object was determining 
the yield, not optimizing the speed. It can be seen in Section 5 that although the 
different methods do not produce identical results, the actual smoothness tests 
do inspire a high level of confidence in the numerical approximations. 

Furthermore, we computed similar estimates for the multiple number field 
approach from [5], under the untested and possibly over-optimistic assumption 
that all number fields are about equally ‘good’ as the number fields we generated 
(cf. Section 6). In the same section we estimated the yield under the assumption 
that we are able to find much better number fields than we found, for instance 
by adapting the Franke/Kleinjung program to higher degrees. Corresponding 
actual smoothness experiments were not performed for these variations, because 
they involve number fields that we did not actually manage to construct. 

There is nothing new to our approach and neither are the results earth- 
shaking. In particular we did not attempt to address the uncertainties referred 
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to above, namely to analyse the cycle-matching behavior of relations involving 
large primes. We are not aware of any progress in that area. Despite the lack of 
innovative results, we hope that the approach presented in this paper is help- 
ful to other researchers in this field. From that point of view our work already 
proved useful, as witnessed by the evolution of [17] into [18] (cf. Appendix B). 

2 Number Field Sieve Background 

This section describes the parts of the number field sieve factoring algorithm 
which are relevant for this paper. See [10] for further details. The number of 
primes < x is denoted by tt(x). An integer is y-smooth if all its prime factors are 
< y. An integer k is (y,z,£)- semi- smooth if it is y-smooth except for at most £ 
prime factors that are > y and < z (referred to as large primes). If this is the 
maximal such t, then k is strictly (y,z,£)- semi- smooth. 

Regular NFS. Let n be the number to be factored. Fix a degree d. Find an 
integer m (close to an irreducible polynomial / e Z[X] of degree d such 

that f(m) = 0 mod n, and a corresponding skewness ratio s (cf. [13], [14], [15]). 
This / is chosen such that the values b d f(a/b), for coprime pairs of integers (a, b) 
with b > 0, have a larger than average y-smooth factor, for small y. For integer k, 
let r/(y, k) denote the largest y-smooth factor of k and A (y, k) = log(y(y, k)) 
the natural logarithm thereof. For random integers, the expected value E(y) of 
A (y, k) is known to be 

E (y)= ( 1 °sp)/(p- !)• 

p<y,p prime 

The expected value Ef(y) of A (y,b d f(a/b)) can be determined experimentally 
by averaging A (y, b d f(a/b)) over a large random set of coprime pairs (a, b) with 
b > 0. The correction factor that measures /’ s advantage is defined as t = 
exp(£y(2 30 ) — i?(2 30 )). 

Fix rational smoothness and semi-smoothness bounds y r and z r and algebraic 
ones y a and z a , with y r < z r and y a < z a . Fix the number of large primes 
on the rational side £ a and on the algebraic side £ r . In the sieving step find 
relations: pairs of coprime integers (a, b) with b > 0 such that the rational 
norm N r (a,b) = |a — bm\ is (y r , 2 : r ,^ r )-semi-smooth and the algebraic norm 
N a (a,b) = \b d f(a/b)\ is (y a , z a , ^ a )-semi-smooth. If N r (a,b) is y r -smooth and 
N a (a, b) is y a -smooth, the relation is referred to as a full relation, otherwise it is 
called a partial relation. Approximately 7r(min(y r , y a ))/d! full relations are free, 
namely one for each prime p < min(y r ,y a ) such that / has d roots modulo p 
(cf. [10]). A non-free relation (a, b) for which N r (a,b ) is strictly ( y r ,z r ,L r )- 
semi-smooth and N a (a,b ) is strictly (y a , z a , T a )-semi-smooth will be called an 
(L r , L a ) -partial relation. We use the standard abbreviations ff for (0, 0)-partial 
relations, fp for (0, Impartial relations, pf for (1, 0)-partial relations and pp for 
(1, Impartial relations. 

For the N r (a, 6)’s the sieving step involves sieving with the primes < y r , the 
rational factor base of cardinality n (y r ). For the N a (a,6)’s it involves sieving 
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with pairs ( p , r) with p < y a prime and f(r) = 0 mod p, the algebraic factor base 
of cardinality M Tr(y a ). Let T(y r ,y a ) = tt (y r ) + n (y a ) - 7r(min(y r , y a ))/d\. 

The purpose of the sieving step is to find approximately T(y r , y a ) independent 
cycles: sets C of relations such that ri( a b)ec N r {<h b) is a square times a y r - 
smooth number and, simultaneously, ]/[(«, &)ec N a (d, b) is a square times a y a - 
smooth number. The condition on the last square is slightly more involved; see 
below. A full relation is a cycle of length 1. Two (l,0)-partial relations whose 
rational norms share a large prime can be combined into a cycle of length 2. 
Similarly, for two (0, Impartial relations (a-i , 63.) and (02,62) whose algebraic 
norms share the large prime p, a length 2 cycle follows if the relations correspond 
to the same root of / mod p, i.e., if ai/61 = 02/62 mod p. Longer cycles may 
be built by pairing matching rational large primes or matching algebraic large 
primes with corresponding roots. 

The part of the (o, 6)-plane where relations are sought, the sieving region, 
consists of a, 6 with —A < a < A and 0 < 6 < B for sufficiently large A, B > 0 
with A/B s. The size 2 AB of the sieving region is denoted by S. A rectangular 
sieving region is in general not optimal in the sense that certain carefully chosen 
and somewhat smaller regions may yield the same number of relations (cf. [20]). 
For our yield computations this is hardly a concern. 

Given approximately T(y r ,y a ) independent cycles, the factorization of n fol- 
lows by applying the matrix step to the cycles and the square-root step to the 
results of the matrix step; these final two steps are not discussed in this paper. 
Cycle Yield. The number of relations required to obtain T(y r , y a ) independent 
cycles is determined by the matching behavior of the large primes. This behavior 
varies from factorization to factorization and is not yet well understood. Obvi- 
ously, T(y r , y a ) distinct (non-free) full relations suffice, but this is necessary only 
if the large primes cannot be paired at all — that has never occurred in practice 
so far. Furthermore, the behavior gets considerably more complicated if more 
than a single large prime is allowed in the rational and algebraic norms. This is 
customary in current factorizations because it leads to a considerable speedup 
(cf. [4]). The uncertainty about the matching behavior of the large primes is 
the main reason that it is currently impossible to give reliable estimates for the 
difficulty of factoring numbers that are much larger than the numbers we have 
experience with. For that reason, we mostly restrict ourselves to estimates of the 
sieving region that would be required to find T(y r ,y a )/c non-free full relations 
for a range of y r and y a values and several values of c > 1. Note that, for any 
number of large primes per relation, n (z r ) + n(z a ) relations always suffice. 
Effort Required. For smoothness bounds y T and y a , sieving region size S and 
assuming a traditional implementation, the sieving effort is dominated by the 
number of times the primes and (prime, root) pairs in the factor bases hit the 
sieving region. This value is approximately proportional to 

5 (log log(y r ) + log log(y a ))- 

Furthermore, memory for the sieve and the factor bases may be needed. 



Factoring Estimates for a 1024-Bit RSA Modulus 


59 


Coppersmith’s Multi-polynomial Version. As shown in [5] an improve- 
ment of the regular NFS can be obtained by considering a set G of irreducible 
degree d polynomials with shared root to modulo n. In that case, a relation is a 
pair of coprime integers ( a,b ) with b > 0 such that N r (a,b ) is (y r . 2 r , £ r )-semi- 
smooth and b d g(a/b) is (y a . z a , £ a )-semi-smooth for a g £ G. The goal is to find 
n(yr) + #G(n(y a ) — 7r(min (?/ r , y a ))/d!) cycles. First, sieving is used to find a 
set V of (t/ r , z r . £ r j-semi-smooth rational norms (with a and b coprime). Next, a 
smoothness test different from sieving is used (in [5] the elliptic curve method 
is suggested) to test b d g{a/b) for (y a , z a , £ a )-semi-smoothness for all (a, b) e V 
and all g € G. The approximate runtime of the relation collection becomes 
proportional to 

Sloglog(y r ) + E(#V)(#G) 

where E is a constant of proportionality that depends on the (y a ,z a ,£ a )- semi- 
smoothness test used. Its value is best determined empirically. 

3 Number Field Sieve Analysis and Estimates 

Let the notation be as above. This section describes the methods we used to 
estimate the yield of the NFS. Let L x [r, a] denote any function of x that equals 

exp((a + o(l))(logx) r (loglogx) 1_r ), for x — > oo, 

where a and r are real numbers with 0 < r < 1 and logarithms are natural. 
Estimating Smoothness and Semi-smoothness Probabilities. Let cq 
(u, v) denote the probability that a random integer < x is strictly ( x 1 /“, x 1 /”, £)- 
semi-smooth, for x — > oo. In particular, (Tq{u, v) is the probability of x 1 /"- 
smoothness, and equals the Dickman p(u) function (cf. [1], [6]) which is ■u _ “+°( 1 ) 
for u -> oo (cf. [3], [7]). Also, let (t 2 {u, v, w) be the probability that a random in- 
teger < x is x 1 /'"--smooth except for exactly two prime factors > x 1 /'"' and < x 1 / 1 ' 
whose product is < x 1 t w (note that a 2 (u,v) = d2(u,v,v/2)). We assume that 
these functions give good approximations of the semi-smoothness probabilities 
for the finite values of x that we consider (cf. Section 5, [1], [9]). 

Closed expressions for ai are not known. Thus, for p and oq we used the 
numerical approximation methods given in [1], To compute a 2 and d 2 we used 
a natural generalization of [9, Theorem 3.1] and performed the integration nu- 
merically using the GNU Scientific Library. 

Asymptotic Runtime. It is heuristically assumed that with respect to 
smoothness properties N r (a, b) and N a (a, b) behave independently as random in- 
tegers of comparable sizes. It follows that a pair of coprime integers (a, b) leads to 
a full relation with probability « r - “ r+0 ( 1 ) Ua -“»+ 0 ( 1 ) ) where u r = and 

w a = los / 0 ^(^j 6 ^ • Optimization of the parameters leads to the heuristic asymp- 
totic expected NFS runtime L n [l/3, (64/9) 1 / 3 ] M&- L n [l/3, 1.923], for n — > 00 , y T 
and y a both equal to L n [l/3, (8/9) 1 / 3 ] (the ‘square-root of the runtime’), and 
the sieving region size S = L n [l/3, (64/9) 1 / 3 ]. The correction factor t and large 
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primes are believed to affect these values only by a constant factor (which disap- 
pears in the o(l)). Coppersmith’s multi-polynomial variant [5] runs, asymptot- 
ically, slightly faster in expected time L n [l/3, 1.902]. These expressions provide 
some insight into parameter selection, but the presence of the o(l) limits their 
practical value. See Section 4 for how they are often used in practice. 
Estimating the Yield Using p and ay. For actual yield estimates we include 
the correction factor t defined in Section 2. Redefine u a = , and 

define v T = , v a = • Then under the same assumptions as 

above, it follows that (a, b) forms an (L r , L a )-partial relation with probability 

<TL r (u r ,v r ) ■ a La (u a ,v a ). 

Integration of these probabilities over the sieving region gives an estimate for the 
total yield of (L r , I/ a )-partial relations. An estimate for in the runtime of 
Coppersmith’s variant is obtained by integrating the aL r (u r ,v r ) values over the 
sieving region. Similar integrations are used to compute candidate frequencies in 
Appendix B. A correction factor 6/n 2 « 0.608 is applied to all results to account 
for the probability that a and b are coprime. The integrations were carried out 
using Mathematica and the GNU Scientific Library. 

Actual Smoothness Tests. To get an impression of the accuracy of the above 
p and oi-based estimates compared to the actual NFS yield, we tested N r (a,b) 
and N a (a, 6)-values for smoothness for wide ranges of (a, b) pairs. Because it has 
never been doubted that the probability that N r (a,b) and N a (a,b) are smooth 
equals the product of the smoothness probabilities, we did not test that assump- 
tion. 

We had no access to a siever that allows the range of factor base sizes we 
intended to test, nor to hardware on which it would be able to run efficiently. 
Therefore we wrote a smoothness test that uses trial division up to 2 30 combined 
with the elliptic curve factoring method (ECM). The choice 2 30 was partially 
inspired by our wish not to miss any semi-smooth N r (a, b) or N a (a, 6)-values that 
would, in theory, be found when using one of the parameter choices from [17]. 

The simplest approach would have been to subject each successive number to 
be tested to trial division followed, if necessary, by the ECM. To obtain slightly 
greater speed, and without having to deal with the imperfections (overlooking 
smooth values) and inconveniences (memory requirements, resieving or trial di- 
visions to obtain the cofactor) of sieving, the trial divisions were organized in 
such a way that a large consecutive range of a’s could be handled reasonably 
efficiently, for a fixed b. For the algebraic norms this was achieved as follows (the 
rational norms are processed similarly) . Let [ A \ , Af be a range of a- values to 
be processed. For all (prime, root) pairs ( p , r) with p < 2 30 calculate the smallest 
a p > Ai such that a p = br mod p (i.e., p divides N a (a p , b)) and if a p < A 2 insert 
the pair (p, a p ) in a heap that is ordered with respect to non-decreasing a p values. 
Next, for a = A 1; Ai + 1, . . . , A^ in succession compute c a = N a (a, b), remove all 
elements with a p = a from the top of the heap, remove all corresponding factors 
p from c a , and if a p +p < A- 2 insert (p, a p + p) in the heap. Note that this can be 
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seen as a variant of the ‘largish station’ design from [18]. The resulting c a values 
have no factors < 2 30 , are prime if < 2 60 , and subjected to the ECM if com- 
posite. Due to the probabilistic nature of the ECM, factors between 2 30 and the 
smoothness bound y a (or y T ) may be overlooked. With proper ECM parameter 
settings and reasonably sized y a (and y r ) this does not occur often. Furthermore, 
no relation relevant for the primary choice in [17] will be overlooked. 

4 Traditional Extrapolation 

In this section we sketch the traditional approach to estimate the difficulty of 
factoring a 1024-bit RSA modulus. Let R indicate a resource required for a 
factorization effort. For instance, R could indicate the computing time or it 
could be the factor base size, or the total matrix weight, or any other aspect of 
the factorization for which one wants to measure the cost or size. 

For each resource R let Cr(x) be a function that measures, asymptotically 
for x — > oo and in the relevant unit, how much of R is needed to factor x. For 
several resources a theoretical expression for this function is known. For instance, 
when R measures the total expected computing time, then 

Cr{x)**L x [ 1/3, (64/9) 1/3 ], 

with L x [, ] as in Section 3. If R measures the factor base size the constant 
(64/9) 1 / 3 in this expression would, in theory, be halved. 

Assume that R n > units of some resource R are known to be required (or 
were used) to factor some RSA modulus n' . Then ) Rn' is used to estimate 
how much of R would be required (or feasible) for the factorization of RSA 
modulus n. In this type of estimate it is customary to ignore all o(l)’s, if they 
occur in Cr. Based on frequent observations this is not unreasonable if log(n') 
and log(n) are close. For large scale extrapolations, however, omitting the o(l)’s 
may be an over-simplification that might produce misleading results. 

Furthermore, even if log (n') and log(n) are close, C^-based extrapolation for 
resources R that are well understood in theory, may lead to results that have 
no practical value. As an example, for a 512-bit factorization, e.g. RSA-155, one 
would recommend a factor base size that is about 2.5 times larger than for a 
462-bit factorization (as RSA-140). In practice, however, the entire concept of 
factor base size is obscured by the use of multiple large primes and special q’s : it 
turned out that using the same factor base size did not lead to severe performance 
degradation. 

This particular effect that not-even-nearly-optimal factor base sizes still lead 
to only slightly suboptimal performance is due to the behavior around the min- 
imum of the runtime curve as a function of the factor base size: the runtime 
only gradually increases for factor base sizes that are much larger or somewhat 
smaller than the optimum. On the other hand, it increases sharply if the factor 
base size gets much too small (cf. [20]). This explains the potential dangers of 
o(l)-less factor base size extrapolation: a suboptimal small choice, in the region 



62 Arjen Lenstra et al. 


where the curve is relatively well behaved, for the factor base for n' may extrap- 
olate to a factor base size for n in the steep region of the curve, thereby leading 
to a much larger total runtime for n than anticipated; see also Section 5, Table 2. 

It is not uncommon to use n' = RSA-155 (a 512-bit number) as the basis 
for the extrapolation. In [11] the following parameters were proposed for 512-bit 
numbers (in the notation of Section 2), which is close to the values used for the 
factorization of RSA-155 (cf. [4]): 

512-bit moduli: y r = y a = 2 24 , sieving region of size S = 1.6e16 ( A = 9e9, 
B = 9e 5; we use ‘vew’ for ‘v ■ 10™’). According to [17] the sieving step can 
be done in less than ten minutes on a US$10K device. 

Straightforward (o(l)-less) extrapolation suggests that 768 and 1024-bit moduli 
would require smoothness bounds that are 75 and 2700 times larger and sieving 
regions that are 6000 and 7.5 e 6 times larger, respectively: smoothness bounds 
approximately 2 30 and 2 35 and S « 1e 20 and S w 1.2 e 23, respectively. As 
shown in [12] additional optimization arguments may enter into and further 
complicate the extrapolation. In [17] this leads to relatively small estimates for 
the smoothness bounds and relatively large sieving regions: 

768-bit moduli: y r = y a = 1.2e7 (< 2 24 ), S = 4.2e20 (A = 1.5e12, B = 
1.5e8). The sieving step can be done within 70 days on a US$5K device. 
1024-bit moduli: y r = y a = 2.5e8 (< 2 28 ), S = 6e23 (A = 5.5e13, B = 
5.5e9). The sieving step takes a year on a US$10M device. 

Furthermore, the following is given in [17] and claimed to be an overestimate 
based on traditional extrapolation: 

1024-bit moduli, but not using partial relations: y r = y a = 1.5e10 (< 
2 34 ), S = 6e 23. The sieving step takes a year on a US$50M device. 

5 Results 

Let the notation be as in Section 2. In this section we present our p and ay-based 
estimates for the yield of the NFS when applied to RSA-155 and RSA-768 with 
the parameters as suggested in [17] (and specified in Section 4) and to RSA- 
1024 for a wide variety of parameters, including those from [17]. Furthermore, 
we compare the estimates to the results of smoothness tests applied to numbers 
that would occur in an actual NFS factorization attempt. In Appendix B we give 
the corresponding estimates for RSA-1024 and the parameter choices from [18]. 
512-bit Moduli. Let n = RSA-155, d = 5 , / as in [4], s = 10800, and 
t = exp(5.3). Application of our p and ay-based estimates to y r = y a = 2 24 , 
Zr = z a = 2 6 y r = 2 30 , A = 9e9, and B = 9e5 result in an estimated yield of 
T(y r ,y a )/8.9 ks 2.4e5 jffs, 2.2e6 fp’s, 9.1e5 p/s, and 8.1e6 pp’s. Because the 
parameter choice was intended for the use of more than a single large prime per 
norm, these results look acceptable: if more than one tenth of the matrix is filled 
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with ffs, combinations of multi-prime partial relations will certainly fill in the 
rest. 

With y r = 2 29 , y a = 2 30 , and B = 4.0e4 the same fraction of the matrix 
would be filled with ffs for a sieving effort that is more than 470 times lower, 
but T(y r ,y a ) would be 38.4 times larger, and sieving would have required more 
fast RAM than was available in 1999. Because y T = y a = 2 24 is much smaller 
than the choice that would minimize the sieving effort, extrapolation may result 
in very large sieving efforts, as mentioned in Section 4. See also Table 2 below. 
768-bit Moduli. For n = RSA-768 we generated a fifth degree polynomial 
with s t w 26000 and t ss exp(5.3). To get S = 4.2e20, we use B = 9e7 and 
A = sB. With y r = y a = 2 24 , T(y P ,j/ a ) = 2.1e6, and 2 r = 2 a = 2 10 y r = 2 34 
we estimate a yield of fewer than 40 ffs, 1200 /p’s, 500 p/s, and 2e4 pp’s. It 
is unlikely that this is feasible, unless a substantial effort is spent on finding 
multi-prime partial relations. With y r = 2 29 , y a = 2 30 , and the same sieving 
region, about T(y r , y a )/ 16 ss 5.2e6 ffs can be expected. With reasonable use of 
partial relations this may be feasible. 

1024-bit Moduli. For n = RSA-1024 we considered degrees d = 5, 6, 7, 8, 9, 
each with corresponding integer to, d-th degree polynomial /, skewness ratio s, 
and correction factor t as specified in Appendix A. For each of these degrees 
and S = 6e 23 the estimated yield figures are presented in the first two parts of 
Table 1, both for y r = y a = 2 28 and y r = y a = 2 34 . Because the skewness ratio s 
depends on d, the height B =■ y'S ! /('2s) and width 2 A = 2 sB of the sieving 
region depend on d. In the last two parts the effect is given of doubling and 
quadrupling B, thereby increasing S (and the sieving effort) by a factor 4 and 16, 
respectively (since the skewness ratio s is kept invariant). We used z r = z a = 0y r 
for j e {8, 12, 16} and indicate the expected /p, p/, and pp yield by fp t . pf 3 . and 
pp,j , respectively. Note that [17] does not use partial relations for y r = y a = 2 34 . 


Table 1. Estimated yields for smoothness bounds from [17]. 
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It follows from Table 1 that unless multi-prime partial relations are collected 
on a much wider scale than customary or practical, the choice y r = y a = 2 28 , 
and thus the smaller choice y r = y a = 2.5e8 from [17], looks infeasible. Also the 
choice y r = y a = 2 34 , and therefore the choice y r = y a = 1.5e10 from [17], is 
infeasible if, as suggested in [17], partial relations are not used and if a sieving 
region size S as proposed in [17] is used. To get the choice y r = y a = 2 34 to work 
without partial relations, our estimates suggest that d = 6 with B « 2.9e12 
(corresponding to S m 8e27) would suffice. This would, however, be about 13000 
times more expensive than the estimate from [17]: the initial 2.6e10 b- values 
produce about T(y r ,y a )/ 72 ffs, but the performance deteriorates for larger b’s 
so that much more than 72 times the initial effort is needed to find T(y r ,y a ) 
ffs. For d = 5 or 7 it would be 1.1 or 3.5 times more expensive, respectively. 

Using partial relations is probably a more efficient way to get y r = y a = 2 34 to 
work, as suggested by the last two parts of Table 1. Since there are no adequate 
methods yet to predict if the partial relation yield as listed, in practice augmented 
with partial relations with 3 or more large primes, would suffice or not, we cannot 
make any definite statements on the resulting cost, the practical merit of the cost 
estimate from [17], or the semi-smoothness bound that would be required. Note 
that the performance of d = 6, 7 deteriorates faster than for d = 5, as expected. 

In Table 2 the effect of low smoothness bounds is illustrated. The total ex- 
pected sieving effort to find T(y r ,y a )/ 32 ffs is listed for d = 6, y r = 2 : > with 
j = 28,29, ..., 51 and y a = 2 y r . The optimum 9.3e20 is achieved at j = 47. 
When j gets smaller the effort at first increases slowly and gradually, but around 
j = 39 the effort grows faster than the smoothness bounds shrink, and for 
smaller j the performance deteriorates rapidly. 

Table 2. Sieving effort to find T{2 j , 2 ,+1 )/32 ffs for d = 6. 
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We now vary d and i T , i a € {25, 26, . . . , 50} and minimize the sieving effort 
to find T(2* r , 2* a )/c ffs, for various c’s. The resulting sieving efforts with corre- 
sponding optimal smoothness bounds are listed in Table 3. It can be seen that 
both effort and smoothness bounds decrease with increasing c. This effect is 
stronger for larger d. Overall, d = 7 is the best choice, with d = 6 better than 
d = 8 for small c but vice versa for larger ones. For non-optimal smoothness 
bounds, however, d = 7 may not be the best choice, as illustrated in Table 1. 
Actual Smoothness Tests for RSA-1024. The accuracy of our p and <7i- 
based estimates as derived for n = RSA-1024 was tested by applying smoothness 
tests (as explained in Section 3) to N r (a, b) and N a (a, 6)-values for wide ranges of 
(a, 6)-pairs with coprime a and b and degrees and parameters as in Appendix A. 
More than 100 billion values have been tested for degrees 6 and 7. No major 
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Table 3. Minimal sieving efforts to find T(2* r , 2 lB )/c ffs. 
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Table 4. Actual and estimated number of (2 l , l)-semi-smooth N r (a. 6)’s for d = 6. 



surprises or unexpected anomalies were detected. Thus, although it may be too 
early to have complete confidence in the p and cy-based estimates, there is 
neither any reason to dismiss them. 

For d = 6 this is illustrated in Tables 4, 5, and 6. Tables 4 and 5 contain 
the accumulated results of smoothness tests for N r (a,b) and N a (a, 6)-values, 
respectively, for more than 100 billion coprime (a, 6) pairs and 176 different b 
values ranging from 2 9 to 2 31 . They list the number of (2% V . l)-semi-smooth 
N r (a,b ) and N a (a. 6)-values (for i. j ranges as specified in the tables) that were 
found using trial division up to 2 30 , followed by the (p + <7i)-based estimate 
between parentheses. Table 6 contains the accumulated results of more expensive 
smoothness tests for N a (a, 6)-values for 5.6 million coprime (a, b) pairs and 13 
different 6-values ranging from 2 14 to 2 26 . For 34 < j < 40 and 31 < i < j it lists 
the number of (2% 2- 7 , l)-semi-smooth N a (a. 6) -values, found using trial division 
up to 2 30 followed by ECM, again followed by the (p+<7i)-based estimate between 
parentheses. The fact that the estimated value is systematically somewhat higher 
than the actual value can be attributed to the fact that the estimated values 
average over all positive numbers less than some bound, whereas most values 
that are actually tested are close to the bound. This is partly offset by the use 
of asymptotic smoothness probabilities, which are somewhat smaller than the 
concrete probabilities (e.g., for p(u r ) the correction term is roughly +0.423p(u r — 
1)/ log -ZV r (a, 6); cf. [1]). 

For d = 7 we found comparable results. Because of the asymptotic nature of 
the estimates, it may be expected that they become even more accurate for the 
larger 6’s that may occur in practice (cf. Table 1). 
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Table 5. Actual and estimated number of (2*, 2 ° , l)-semi-smooth iV a (a, 6)’s for d = 6. 
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Table 6. Actual and estimated number of (2*, V , l)-semi-smooth A’ a (a, 6)’s for d = 6. 
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6 More or Better Polynomials? 

Estimating the Performance of Coppersmith’s Variant. We estimated 
the yield and performance of Coppersmith’s multi-polynomial version of the 
NFS by assuming that for any degree d we can find a set G of any reasonable 
cardinality consisting of degree d polynomials with a shared root m modulo n and 
with skewness ratios and correction factors comparable to those in Appendix A. 
Table 7 lists some estimates for d = 6, 7 and #G = 6 that can be compared 
to the estimates in Table 1. The dimension of the matrix increases 7/2-fold 
and the yield improves by a factor 6. The fp and pp yield increase may not 
be that effective, since large primes match only if they occur in the norm of 
the same polynomial. The relation collection effort changes from sieving effort 
3.8e24 to sieving effort 1.9e24 plus a number of semi-smoothness tests (indicated 
by ‘ECM effort’) involving a constant of proportionality E measuring the relative 
performance compared to sieving. 

The practical implications are as yet unclear. For current implementations 
E would be too large to make the multi-polynomial version competitive, but 
an entirely different picture may emerge for dedicated non-sieving hardware 
smoothness tests. Also, our choices d = 6,7 and #G = 6 were not meant to 
optimize anything, they are just for illustrative purposes to facilitate comparison 
with the regular NFS data in Table 1. Clearly, this subject deserves further study. 
The Effect of Much Better Polynomials. In an actual factorization at- 
tempt considerably more time would be spent to find good polynomials. So, in 
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Table 7. Estimated yields for smoothness bounds from [17] with 6 polynomials. 


Table 8. Estimated yields for smoothness bounds from [17] with correction factor t 3 . 

I rf ll 8 I B II ff II ^8 I P/s I PP 8 II JP 12 I Pfl2 I PPl2 II fPlR I P/lfi I PPibH 
y r = y & = 2^°, T(y r , y a ) ss 2.9 e7, S = 6e 23, sieving effort 3.6 e24 
I II 15 9 1 2.6e10 II 2.6e2 II 5.8e3 [ 2.2e3 [ 4.9e4 II 1.1e4 [ 4.0e3 [ 1.7b5 II 2.0e4 [ 6T3e 3 [ 17fi5 I 

| 7 || 40.9 | 8.6e10 || 6.8e2 || 1.5e4 | 4.6e3 | 1.0e5 | 2.9e4 | 8.0e3 | 3.5e5 1 1 5.1e4 1.2e4 | 9.5e5 | 

y r = j/ a = 2 34 , T(y r , j/ a ) ^ 1.5e9, S = 6e 23, sieving effort 3.8 e24 
I 6 II 458.9 I 2.6E10 II 5.7e7 II 7.2e8 I 2.8e8 I 3.5e9 II 1.3e9 I 4.9e 8 I l.lElO II 2.1 e9 I 7.3e8 I 2.6E10 I 

| 7 || 40.9 | 8.6e10 || 9.9e7 | 1.3e9 | 3.9e8 | 5.1e9 1 1 2.4e9 | 6.4e8 | 1.5e10 1 1 3.9e9 | 9.4e8 | 3.7e10 | 

y r =y a = 2 , T(y r ,y a ) si 1.5 e9, S = 2.4e 24, sieving effort 1.5E25 

I 6 II 458.9 I 5.1e10 II 1.1e8 II 1.4e9 I 5.3e8 I 6.9e9 II 2.5e9 [ 8.9e8 [ 2.1e10 II 4.1e9 [ 1.3e9 [ 5.1E10 I 

| 7 || 40.9 | 1.7e11 || 1.7e8 | 2.3e9 | 6.6e8 | 9.1e9 || 4.2e9 | 1.1e9 | 2.7e10 || 6.8e! i.Oi | ' . | 

y r = = 2 U , T{y r , VBL ) « 1.5e9, S = 9.8e 24, sieving effort 6.1 e25 

I 6 II 458.9 I l.OEll II 2.0 e8 II 2.8e9 I 1.0e9 I 1.4e10 II 4.9e9 I 1.7e9 I 4.1e10 II 8.0e9 I 2.6e9 I I.OeII I 

| 7 || 40.9 | 3.4e11 || 2.8e8 || 4.0e9 | 1.1e9 | 1.6e10 || 7.3e9 | 1.9e9 | 4.8e10 || 1.2e10 | 2.8e9 | 1.2e11 | 


practice, we may expect correction factors t that are larger than the ones given 
in Appendix A for polynomials which may have smaller coefficients. An example 
of such a polynomial is given in Appendix B. This effect can be approximated 
by applying our estimates to the same / and m values but with incorrect (too 
large) correction factors t. In Table 8 the results are given if t is replaced by 
t 3 for d = 6,7, with parameters as in Table 1 (i.e., mostly as in [17]). With 
the current state of the art of polynomial selection methods it is unlikely that 
such large correction factors can be found in practice. Thus, the figures in Ta- 
ble 8 are probably too optimistic. Compared to Table 1 the yield improves by 
a factor about 3: a relatively small effect that does not have an impact on the 
observations made in Section 5 about y r = y a = 2 28 and y r = y a = 2 34 . For 
d = 6 and y r = y a = 2 34 not using partial relations (and correction factor t 3 ) 
would require B = 9.4e11 with corresponding S = 8.2e26. This is about 1300 
times more expensive than the estimate from [17]. We conclude that our limited 
polynomial search did not lead to overly poor estimates. 

7 Conclusion 

We applied numerical methods to estimate the yield of the NFS when applied 
to the 1024-bit RSA modulus RSA-1024, and tested the accuracy of our results 
using actual smoothness tests. Our methods and results were taken into account 
in the updated version [18] of the draft version of TWIRL [17] and are presented 
in Appendix B. Accurate estimates of the difficulty of factoring 1024-bit RSA 
moduli require a better understanding of the large prime matching behavior than 
is available today. Continued large factorization efforts may prove helpful. 

Our results suggest that effective smoothness bounds for RSA-1024 are larger 
than the ones proposed in [17]. Larger smoothness bounds stress the importance 
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of the alternative cost measure proposed in [2] and of approaches to smoothness 
testing that avoid sieving and storage of the complete factor bases. TWINKLE 
and TWIRL (cf. [19], [18]) both require processing elements or storage for es- 
sentially the complete factor bases and time for the sieving. Such designs may 
eventually be surpassed by, say, a carefully designed ECM-based smoothness 
test as proposed in [2] , because the latter allows a better trade-off between space 
and time. This does not disqualify TWIRL for the sizes proposed in [18], but 
indicates that in the long term the approach from [2] may be more promising. 
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A Polynomials for RSA-1024 


Let the notation be as in Section 2. RSA-1024 = 135 . . . 563 is a 1024-bit number 
whose 309 decimal digits can be found in [16]. For d= 5,6, 7, 8, 9 we present the 
value of to, the skewness ratio s, the correction factor t, and the d-tli degree 
polynomial /. For all d we have that /(to) = RSA-1024 and the number of free 
relations behaves as estimated in Section 2. 

d = 5: m = 40166061499405767761275922505205845319620673223962394269848, 
s = 87281.9, t = exp(4.71), 

f(X) = 1291966090228800X 5 - 640923572655549773652421X 4 

+ 22084609569698872827347541432045436154518749958885X 3 
+ 395968894120701874630226095753546547718334332711719805X 2 
-96965973957066386285836042292532199420340774279358321957826X 
-4149238485198657863882627412883817567549615187136520422680871493. 
d = 6: m = 6290428606355899027255723320027391715970345088070, s = 458.857, t = exp(3.10), 
f(X ) = 2180047385355840X 6 - 3142872579455569636X 5 

- 1 25415566279686003620899251496984700 1569768X 4 

- 1 2346184596682 12931 188535497431 1793670338999X 3 

+ 32685363049830158752687737781 1152784944999520522X 2 
+ 460939591 1122979440239635705733809071478223546768X 

- 11074692768758259967955017581674706364925519996590997. 

d = 7: m = 103900297567818360319524643906916425458585, s = 40.9082, t = exp(3.66), 
f(X) = 1033308066924956844000X 7 - 160755011543490353038479X 6 

- 195303627236151056576676296300427751 X 5 

- 6732299766097047296232233 14246205 18857X 4 
+ 852886687422682 194441338494667584979283X 3 

+ 122261247387346205137507554160155213223449X 2 

- 941042262598628457425892609296624845278218X 
-38806712095590448575304126518627120637325432. 

d = 8: m = 1364850538695913738402818687041215458, s = 107.255, t = exp(5.13), 
f(X) = 11216738509080904800X 3 + 4126963962861489385859X 7 

- 1175791917822439782941507504635X® 

+ 2996639999067533888196133035298645X 5 
+ 208240147656019048048262524877102283X 4 
-27357702926139861867857609251152887873X 3 

- 3424834099100207742896726960114709926535X 2 

- 1 295753871264781 14914365102382831882 19229X 
+ 8733287829967486818441309661955398847347705 . 
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1310717071544062886859477360545488, s = 8.51584, t = exp(3.89), 

11829510000X 9 - 323042712742X 8 - 2296009166444361125150144310X 7 

- 17667833832765445702215975840307X 6 
+ 104750984243461509795139799847908X 5 
+ 684082899341824778960200186325064X 4 
-85584861328481518261784144249386362C 3 
+ 32301718781994667946436083991144874X 2 
—42 11883730221892830363726045 15 15638X 

- 1293558869408225281960437545569172565. 

B The Parameter Settings from [18] 

This appendix provides analysis of the NFS parameters used in the revised 
TWIRL design [18]. It follows the approach of Section 3, extended to produce 
estimates for the frequency of intermediate candidates. 

Polynomials. We used the NFS polynomial selection program of Jens Franke 
and Thorsten Kleinjung, which contains several improvements on the strategy 
of [13] [14] [15] which was used to obtain the polynomials of Section 3 and Ap- 
pendix A. We employed several Pentium 1.7GHz computers, for a total CPU 
time of about 20 days. However, most of this time was spent on experimentation 
with search parameters; the conclusions can be reused for other composites, so 
future experiments would require just a few hours. We observe that with this 
polynomial selection program there is a lot of flexibility in the search parame- 
ters: at a small cost in yield, one can obtain polynomials with much larger or 
much smaller skew, trade root properties for size properties, etc. Appendix B.2 
of [18] gives the best polynomial we found for RSA-1024, which is as follows: 
d = 5: m = 2626198687912508027781823689041581872398105941296246738850076103682306196740 
55292506154513387298663560887146183854975198160502278243245067074820593711054723850 
57002739575614001142020313480711790373206171881282736682516670443465012822281608387 
169409282469138311259520392769843104985793744494821437272961970486, 
s = 1991935.4, t = exp(6.33), 

-6991973488866605861074074186043634471X 4 
+ 27086030483569532894050974257851346649521314X 3 
+ 46937584052668574502886791835536552277410242359042JV 2 

- 1010702948425721 11371 78 1458850696845877706899545394501384X 
-22666915939490940578617524677045371189128909899716560398434136, 

g(X) = 93877230837026306984571367477027X 

-37934895496425027513691045755639637174211483324451628365. 

Here the rational-side polynomial g is non-monic; thus we redefine N r (a,b) = 
\b-g(a/b)\. Table 9 estimates the yield of this polynomial using the parameter sets 
from [17] that were considered in Section 5. A comparison with Table 1 shows 
that this polynomial has much higher yield; indeed, both its size properties and 
its root properties are better (cf. [15]). Throughout this appendix we shall use 
this polynomial, except where noted otherwise. 

Note that Section 5 gives strong indication that d = 5 is suboptimal, but 
the program we used is limited to d = 5. One can expect that an adaptation 
of the improved algorithm to d = 6 or d = 7 will yield even better results. In 
this light, the parameters of [18] merely imply an upper bound on cost; further 
improvement is likely to be possible. 

Yield. To increase yield, [18] uses higher smoothness bounds than [17]: y r = 
3.5e 9, j/a = 2.6 e10, z r = 4.0e11, z a = 6.0e11. This has a dramatic effect, 
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Table 9. Estimated yields with [18] ’s RSA-1024 polynomial and [17] ’s parameters. 


| d || B | 

1 if II *8 

P/ 8 | PPs II fPl 2 1 Pf 12 1 PP12 II fPie 1 Pf 16 1 PPl6 1 


y r =y a = 2 Z * 

- 

| 5 || 3.88E8 | 

| 9.9e2 || 2.0e4 

9.7e3|2.0e5 1 1 3.8e4 | 1.8e4 | 6.8e5 ||6.6e4 | 2.8e4 | 1.9e6 


y r =y a = 2 a4 

T(y r , y a ) ss 1.5 e9, S = 6e 23, sieving effort 3.8 e24 

| 5 || 3.88E8 | 

1 1.8e8 || 2.1e9 

1.0e9 | 1.2e10 || 3.7e9 | 1.7e9 | 3.5e10 || 5.9e9 2.6e9 | 8.6e10 


Vr = J/a = 

T(y r ,y a ) 1.5e9 S = 2 

| 5 || 3.88E8 | 

| 3.8e8 || 4.5e9 

r T 1 . : 7 1-. : > I 74 1:1." || j. :'.i_ ! !; | -4:" | i 


Vr = Va = 2 a *, 

T(y r ,y a ) « 1.5e9, S = 9.8e 24, sieving effort 6.1 e25 

| 5 || 3.88E8 | 

| 8.2e8 1 1 9.9e9 

4.7e9 I 5.7e1I1 I 1 | II 2.9e10 | 1.2e10 | 4.2e11 


Table 10. RSA-1024 parameters and estimates for [18]. 


yield of (L a , Lr)- partial relations 

(0,0) 1 (0,1) 1 (0,2) I (1,0) 1 (1,1) 

(1,2) | (2,0) | (2,1) | (2,2) || Total 

5.6e7 3.0e8 6.7e8 3.1e8 1.7e9 

3.8e9 | 6.6e8 | 3.5e9 | 7.9e9 || 1.9e10 


suggesting that the choice from [17] indeed resides on the steep region of the 
run-time curve (cf. Section 4). Also, the number of allowed large primes is 
increased to i r = l a = 2. Conversely, the sieving region size is reduced to 
S = 3.0e23. Table 10 gives the corresponding estimates of yield, as well as the 
number of intermediate candidates (see below). Note that [18] uses different 
notation: there R, H, Sr and B A stand for our 2 A, B, y r and y a , respectively. 

Ultimately we are interested in the number of cycles among the relations 
found. Alas, the dependence of the number of cycles on the number (and type) 
of relations is poorly understood (cf. Section 2). As noted, n(z r )+n(z a ) relations 
always suffice, and in past experiments the number of relations collected was 
always somewhat lower. Here, the estimated number of relations is 0.49- (7r(^ r ) + 
TT(z a )). Using £ a , £ r > 2, as in the aforementioned experiments, would further 
increase the relation yield. Note that there are T(y r , y a )/ 23.2 jffs, which seems 
very reasonable. 

It is worth observing that while the most ‘fertile’ area of the sieving region is 
close to the origin, the relation yield of the sieving region is not yet ‘dried out’: 
for example, doubling S to 6e23 increases the number of relations significantly, 
to 2.8e10. The practical significance is that if someone builds a TWIRL device 
with hard-wired smoothness bounds and (for whatever reason) does not find 
enough relations using the above parameters, recovery may be possible simply 
by increasing S, i.e., by sieving for a longer time using the same hardware. 
Candidates. For integer k, let y(y,k) = k/r](y, k) denote the non-y-smooth 
cofactor of k. Sieving per se (i.e., the task handled by TWIRL) merely identi- 
fies the pairs (a, b) for which y(y r , N r (a,b)) < z r e r and /z(y a , N a (a, b)) < z a *. 
For £ a = £ r = 2, not all such pairs form relations. Thus subsequent filtering is 
applied, and it should be verified that its cost is manageable. Also, in the “cas- 
caded sieves” variant employed by the revised TWIRL design, the algebraic-side 
sieve handles only the pairs (a, b) that passed the rational sieve, and it should be 
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verified that the latter are sufficiently infrequent (cf. [18, A.6] ; this is crucial for 
achieving the high parallelism factor of 32768 inspected pairs per clock cycle). 
Thus, we estimate the number of candidates at the relevant points in the algo- 
rithm by writing down the appropriate probability, integrating it over the sieving 
region and multiplying the result by the correction factor 6/7T 2 (cf. Section 3). 

The types of candidates are listed below; the results of the integrations are 
given in Table 10. In the following, let k\,k 2 (£q > k 2 ) denote the two largest 
prime factors of N r (a,b), and let k\,k 2 (&i > k 2 ) denote the two largest prime 
factors of N a (a, b). 


Pass rational sieve (PRS): The pairs that pass the rational sieve are those 
that fulfill / i(y r ,N r (a,b )) < z r 2 . Noting that z T 2 < z a 3 , we get that the 
above is equivalent to the following: (fc-i , k 2 < y r ) V (y r < k\ < z 2 A k 2 < 
2/r) V (y T < k\ , /t '2 A k\k 2 < z r 2 ). Accordingly, the probability that (a, b) 
fulfills this can be estimated by p(u r ) + ai(u r ,v r /2) + a 2 (u r ,v r / 2,v r /2). 

Pass both sieves (PBS): the probability that a pair (a, b) passes both sieves 
is obtained by multiplying the above by the analogous expression for the al- 
gebraic side: (p(u r )+ai(u r , v r /2)+a 2 (u r , v r /2, v r /2))-(p(u a )+ai(u a , v a /2) + 
&2{u a ,v a /2,v a /2)). 

Pass primality testing (PPT): For pairs that passed both sieves, 
the smooth factors are divided out to obtain p,(y r ,N r (a,b)) and p(y a . 
N a (a, b)) (note that most prime factors smaller than y r or y a are reported 
by TWIRL). If p(y r ,N r (a,b)) is prime and > z r , or p(y r . N a (a, b)) is prime 
and > z a , then the pair is discarded. A pair (a, b) reaches and survives this 
test iff {k\,k 2 < y r ) V ( y r < k\ < z r A k 2 < y r ) V ( y r < k \ , k 2 A k\k 2 < z r 2 ) 
and analogously for the algebraic side. The probability that this holds is 
estimated by ( p(u r ) + <Ji(u r ,v r ) + a 2 (u T ,v r /2,v r /2)) ■ ( p(u a ) + cri(u a , v a ) + 
V2(u a ,v a /2,v a /2)). 

Rational cofactor factorizations (RCF): For pairs that survived primality 
testing, if the cofactor p(y r ,N r (a,b)) is composite then it needs to be fac- 
tored and tested for ^-smoothness. The size of the cofactor to be factored 
is bounded by z r 2 . This step is reached and the factorization is performed 
if ( y r < ki,k 2 A k\k 2 < z T 2 ) and (ki,k 2 < y a ) V ( y a < < z a A k 2 < 

Va) V (y a < Ki, k 2 A ki K '2 < z a 2 ). The probability that this holds is estimated 
by a 2 (ur,v r / 2, Vr/2) ■ (p(u a ) +a 1 (u a ,v a ) +a 2 (u a ,v a /2,v a /2)). 

Rational semi-smooth (RSS): A pair reaches the rational cofactor factor- 
ization step and passes (or skips) it if indeed N r (a,b ) is (y r . z r , £ r )-smooth 
and (a, b) passed the algebraic sieve. For this to happen, the condition on the 
rational side is (ki,k 2 < y r ) V ( y T < k\ < z r A k 2 < y T ) V ( y T <k\,k 2 < z r ), 
and the condition on the algebraic side is as in the previous step. Thus 
the probability is estimated by (p(u r ) + cri(u r ,u r ) + a 2 (u r ,v r )) ■ ( p(u a ) + 
cri(u a ,v a ) + a 2 (u a ,v a /2,v a /2)). 
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Algebraic cofactor factorizations (ACF): For pairs that passed all of the 
above, if the cofactor p(y a , N a (a, b)) is composite then it needs to be factored 
and tested for z a -smoothness. This step is reached and the factorization is 
performed iff ( y a < . k 2 A K\ k 2 < z a ) and also the rational-side condition 

of the previous step holds. The corresponding probability is estimated by 
(p(u r ) + cri(w r , v r ) + a 2 (u r , v r )) ■ a 2 (u a , v a /2, v a /2). 

Relations (Total): A pair that passes all of the above forms a relation; the 
probability of this occurring is estimated by (p(u r )+ai(u r ,v r )+a 2 (u r , v T )) ■ 
(p(u a ) +a 1 (u a ,v a ) +a 2 (u a ,v a )). 

The above describes one plausible ordering of the filtering steps; other varia- 
tions are possible (e.g., performing the algebraic cofactor factorization before 
the rational cofactor factorization, or even before the rational primality testing). 
Cost of Cofactor Factorization. As indicated above, we expect to perform 
about #RCF + #ACF = 7.7e10 factorizations of integers whose size is at most 
max(z r , z a ) 2 = 3.6e23. Such factorizations require under 30ms on average using 
a modern CPU. Thus, the cofactor factorization can be completed in 1 year 
(i.e., in parallel to the operation of the TWIRL device) using about 74 bare- 
bones PCs. This cost is negligible compared to the cost of TWIRL, and in large 
volumes custom hardware would reduce it further. 

Optimality and Effect of Technological Progress. The revised TWIRL 
parameters were essentially determined by practical concerns. Most crucially, 
they employ the largest value of y a for which the algebraic-side TWIRL device 
still fits on single silicon wafer. Theoretically, this y a is suboptimal; it would 
be beneficial to increase it. Such increase will become possible when progress in 
chip manufacturing technology allows fitting larger circuits into a single wafer, 
either by increasing the wafer size or by decreasing the feature size. Thus, for 
the foreseeable future we may expect the cost of TWIRL to decrease more than 
linearly as a function of the relevant technological parameters, i.e., faster than 
naively implied by Moore’s law. 

For a concrete example, one may consider an implementation of TWIRL 
using 90nm process technology, which is expected to be widely deployed during 
2004. Compared to the 130nm process technology considered in [18], we may 
assume a reduction in area by a factor of 2 and an increase in speed by a factor 
of 2, for a total cost reduction by a factor of 4 (cf. [8]). Table 11 presents two 
appropriate NFS parameter sets. The first set is about as plausible as the one in 
Table 10; the cost of such a TWIRL implementation is roughly 1.1M US$xyear 
(predicted analogously to [18]) — considerably lower than 2.5M US$xyear one 
may expect. 

The second parameter set in Table 11 shows the effect of improved technology 
on yield, when keeping the cost constant at 10M US$xyear (i.e., the same as 
in [18]). Here, the estimated number of relations is 1.95 • (n(z r ) + n(z a )), which 
is nearly twice the trivially sufficient number. Also, there are T(y r ,y a )/ 3.6 
ffs, which is much more than in any recent factoring experiment. Thus, we 
may conclude that using 90nm technology, a budget of 10M US$ x year per 
factorization (in large quantities) leaves an ample safety margin — arguably, 
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Table 11. RSA-1024 parameter sets for TWIRL with 90nm process technology. 


| yield of (L a ,Lr)- partial relations 

| (0,0) | (0,1) | (0,2) 

1 (1,0) | (1,1) 

(1,2) (2,0) (2,1) (2,2) II Total 

2.2e8 9.8e8 1.8e9 

9.2e8 4.0e9 

7.5e9 1.4e9 6.1e9 I.IeIO || 3.4e10 



yield of (L a ,Lr)- partial relations 



| (0,0) 1 (0, 1) 1 (0,2) I (1,0) 1 (1,1) 1 (1,2) I (2,0)1 (2,1) | 

(2,2) Total 



7.9e8 3.9e9 7.9e9 3.4e9 1.7e10 | 3.4e10 | 5.4e9 | 2.7e10 | 

5.5e10 || 1.5e11 


| #PRS | #PBS | #PPT | #RCF | #RSS | #ACF 1 1 avg(JV r (o, - 

&))|avg(JV a (a,6))| 


5.2e20 4.6e 13 i 


2.7e11 2.1e11 


Table 12. RSA-768 parameters and estimates for [18]. 

1 T ( y r , ya ) 5.7e7, S = 3.0e20 


1 yield of (L a , Lr)-partial relations | 

1 (0,0) I (0,1) I (0,2) 

1 (1,0) I (1,1) I (1,2) 1 (2,0) 1 (2,1) 1 (2,2) 1 

| Total | 

3.5e6 | 2.2e7 | 5.5e7 

| | | | 

| 2.1e9 | 


more than enough to account for estimation errors, relations that are lost due to 
approximations in the sieving process, and sub-optimal cycles- finding algorithms. 
Parameter Settings for 768-bit Composites. For RSA-768, [18] uses the 
following polynomial, obtained by the same method as above: 

d, = 5: m = 2980427354552256959621694668022969720925142335553736586770340190386865951921 
42458430585097389943648179813292845509402284357573098406890616147678906706078002760 
825484610584689826591183386558993533887364961255454143572139671622998845, 
s = 1905116.1, t = exp(3.78), 
f(X ) = 44572350495893220X 5 

+ 1421806894351742986806319* 4 

- 1319092270736482290377229028413X 3 

- 454912 1160536728229635596952173101064* 2 

+ 6062531470679201843447146909871507448641523* 

- 1814356642608474735992878928235210850251713945286, 

g(X) = 669580586761796376057918067* - 7730028528962337116069068686542066657037329. 
The parameter choice and yield estimates using this polynomial are given in 
Table 12. 
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Abstract. We present a variation of the index calculus attack by 
Gaudry which can be used to solve the discrete logarithm problem in 
the Jacobian of hyperelliptic curves. The new algorithm has a running 
time which is better than the original index calculus attack and the 
Rho method (and other square-root algorithms) for curves of genus > 3. 
We also describe another improvement for curves of genus > 4 (slightly 
slower, but less dependent on memory space) initially mentioned by 
Harley and used in a number of papers, but never analyzed in details. 


1 Introduction 

Koblitz [10] first introduced the use of hyperelliptic curves for discrete log 
based public-key cryptography in 1989. For the first ten years, the best known 
generic attacks against these cryptosystems were the “square-root” algorithms 
(Shank’s Baby Step-Giant Step, Pollard’s p method, Pollard’s A method). Pier- 
rick Gaudry’s index calculus attack for hyperelliptic curves [8] was the first exam- 
ple of a generic attack that could solve the discrete log problem on the Jacobian 
of an hyperelliptic curve of small genus over a finite field in a time smaller than 
the square-root of the group order (assuming the genus of the curve is greater 
than 4) (an attack for curves of high genus was introduced the year before in [1] 
by Adleman, DeMarrais and Huang). 

In this paper, we analyse in detail a variation of the original index calcu- 
lus attack which was first introduced by Robert Harley and implemented for a 
number of papers, but never analyzed in detail. This algorithm works in time 
O ^S ,5 q 2_ «+ I+e ^ and gives an improvement on previous attacks for curves of 
genus greater than 3. We also describe how the algorithm can be improved fur- 
ther by using the large prime method of the number field sieve. For this variation, 
we get a running time of O (^g r '</ 2 and an improvement for all curves of 

genus greater than 2. Comparing the running times for curves of genus 3, 4 and 
5, we get 
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This paper is divided as follows: The main ideas and concepts used in the 
index calculus attack are described in Sect. 2. We then present the two algorithms 
in Sects. 3 and 4. The running times of both algorithms are analyzed together 
in Sect. 5 and the memory space required to run the algorithms is discussed in 
Sect. 6. 

2 The Index Calculus Attack 

2.1 The Discrete Log Problem 

Let C be an imaginary quadratic curve over F g , i.e. a smooth hyperelliptic curve 
of genus g over ¥ q with a single point at infinity and whose finite part can be 
written in the form y 2 + h(x)y = f(x ) with deg(/) = 2g + 1 and deg(/i) < g. 

Note 1. Throughout this paper, we will use J q for Jac(C)(¥ q ). 

Definition 1. Given D\ . D^, two elements of J q such that D% € (D i), the hy- 
perelliptic discrete log problem for the pair (Di, Df) on J q consists in computing 
the smallest integer A £ N such that D 2 = A£>i. 

In practice, we can assume that Di has large prime order in J q (if not, we 
can bring the problem down to subgroups of (D 1) of prime order, solving the 
corresponding discrete log problem on each subgroup independently). 

2.2 Jacobian Arithmetic 

Note 2. Throughout the paper, we will assume only basic arithmetic for multi- 
plication. In practice, faster algorithms (Karatsuba, FFT) should be used, but 
they will reduce the overall running time by a factor of less than g \og(q). 

Points of Jac(C) can be represented uniquely by reduced divisors, i.e. divisors 
of the form 

Pi — koo 

where the Pfs are points in C{¥ q ) with P.j ^ —Pj for i 7^ j and with k < (j and 
00 is the unique point at infinity of C. From now onward, we identify Jac(C) 
with the collection of reduced divisors. 

We use the following result of Cantor [2] : 

Proposition 1. For every reduced divisor D = )T7 =1 Pi — koo (with Pi = 
( Xi,yi )), there is a unique representation by a pair of polynomials [a(x),b(x)], 
a(x),b(x) e F g [x], with 

k 

a(x) = (s - xf) 

and b(xi) = y t satisfying deg(6) < deg(a) < g and b{x) 2 + h(x)b(x) — f(x) 
divisible by a(x). The sum (as a reduced divisor) of two reduced divisors in J q 
can be computed in 0(5 2 (log(g r )) 2 ) bit operations. 
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The reduced divisor D = [a{x),b{x)] is associated to a point in J q if and only 
if both a(x) and b(x) are in F g [x]. 

2.3 Smooth Divisors 

Let V be the collection of F g -rational points of C, i.e. V = C(¥ q ). For every 
P e C(F^), we let D(P) = P - oo. 

Definition 2. Let B be a subset ofV. A divisor D is said to be smooth relative 
to B if it is reduced and D = Yli=i D(Pi) with all the Pi ’s in B. 

Definition 3. A subset B of V used to define smoothness is called a factor base. 

Definition 4. A divisor will be said to be potentially smooth if it is smooth 
relative to V. 

Definition 5. A point P in V will be called a large prime relative to a factor 
base B if P £ B. 

Definition 6. A reduced divisor D = fPn-i D{P%) url ^ to be almost- 

smooth if all but one of the Pi ’s are in B and the remaining Pi is a large prime. 


2.4 Random Walk 

The index calculus algorithm relies in a large part on using a pseudo-random walk 
to search for smooth divisors. We set up a pseudo-random walk by specifying 
a hash hunction % and a state function 7 Z. A hash function H is a function 
W. : J q {1,2, , n}. A state function is a map 1Z : J q x {1, 2, . . . , n} — > J q . 
Given an initial point To £ J q , our interest is in computing the sequence (the 
“random walk”) (Tf) with T i+ \ = 72.(7), 7f(T))). 

To have an effective index calculus attack for the discrete log problem for a 
given pair (D\,Df) £ J q x J q , the pair (72, B) should be chosen to satisfy certain 
statistical and computational constraints. The function 72 should be chosen so 
that given 7) = a,D\ + (fD^, it is easy to compute T i+ 1 as well as cq + i and 
/%+! such that T i+1 = q, + iDi + f3 i+ i D 2 . A simple method is to set 

7 Z(T,j)=T + T^ 


where for some randomly chosen and 0^. 

At each step of the random walk, we compute Tj + i as well as a t+ j and /3, + i 
modulo the order of J q . The values of T u a,- and fi t need to be recorded only if 
Tj is a smooth divisor (or an almost-smooth divisor in the second algorithm). 

2.5 Index Calculus 

From the sequence (Tf) of divisors obtained in the random walk, we extract 
a subsequence of smooth divisors (7?j). Then each R, can be written both as 
Rj = a t Di + 0iD 2 and R,, = D(Pj) with the Pf s in the factor base and 
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ki < g. The goal of the index caculus attack is to use the s to obtain an 
equation of the form aDi + (3D 2 = 0. 

To do this, we order the elements of B as Pi,P 2 , . . . P\b\- To each smooth 
divisor 

ki \b\ 

T i = Y t D(P i $~Y t a *Mf% 

3=1 1=1 

we can associate a vector 


Vi = ( a it i , a *, 2 , • • • , ) 

We then use the vectors Vi to build the matrix M = (&ij where each row, 
corresponding to a smooth divisor, has weight at most g. When the size of M 
is large enough (i.e. when M is overdetermined), we use linear algebra to find 
a nonzero vector in the kernel of M. Note that all operations are done modulo 
| J q \. Once a nonzero solution of the system is found, we can write 

X^7iVi = 0 

i = 0 

and (in terms of divisors) 

Substituting Pj = a,; Pi + (3iD 2 , we get 

(]C^) Dl + ° 2 = aDl + PL>2 = °’ 

from which we obtain the solution D 2 = \D\ (A = —a//3). The algorithm fails 
only if (3 = 0, in which case we must go through the algorithm again starting 
from the initialization of the random walk. This is very unlikely however (the 
algorithm fails with probability |(Pi)| _1 if D x has prime order), hence we expect 
to have to go through the algorithm only once. 

In practice, once a point P* / —Pi is included in the factor base, we take — P, 
as being in the factor base but replace D(—Pi) by — P(P*) in the construction of 
the linear algebra system (since the divisor D{Pj) + D{—P t ) reduces to 0). This 
makes it possible to reduce the number of smooth divisors we must find in the 
random walk by a factor of close to 2. 

3 First Algorithm 

3.1 Factor Base 

In the original version of the index calculus attack for hyperelliptic curve, the 
factor base is V = C(Fg). This gives a running time of 

O ( g 2 g\q(log(q )) 2 ) + O ( g 3 q 2 (log(q )) 2 ) 
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where the first part is due to the search for smooth divisors, while the second 
part is the cost of solving the linear algebra system. 

If q is large enough relative to g, i.e. if q > (g — 1)!, then most of the cost of 
the index calculus attack comes from the linear algebra. The first approach to 
reduce the overall running time consists in reducing the size of the factor base, 
which reduces the time required to solve the linear algebra system on the one 
hand, but increases the search time on the other hand (since reducing the size 
of the factor base also reduces the number of smooth divisors). We do this until 
both parts of the running time are equal, i.e. up to the point where any further 
reduction of the factor base would make the search too costly. 

Given that q > (g — 1)!, the factor base can be chosen as a subset B of V 
such that the running time becomes 

o(g 

For the analysis, we assume that q > (g — lj! and we set \B\ = q r , with 
| < r < 1 and compute the value of r which gives the best running time. 

3.2 Algorithm 

The first algorithm can be summarized as follows: 

1 . Search for the elements of the factor base 

Compute the x and y coordinates of points in G(F q ) until \B\ = q r . 

2. Initialization of the random walk 

Choose the and d^’s randomly and compute the T^’s. Also choose 

«o and do randomly and compute To = op-Di + doTb- 

3. Search for smooth divisors (random walk) 

The following steps are repeated until the linear system is large enough: 

a) Search for potentially smooth divisors 

Compute Tj + i = [a(ar),6(a:)] and check if a(x ) splits over F 9 . 

b) Factorization of the potentially smooth divisors 

If a(x) splits over F g , compute the points in C(¥ q ) corresponding to 
T) + 1 . Ti + 1 is smooth if and only if all the points are in B. 

c) Construction of the linear algebra system 

Compute a, + i and d-;+i ■ If T; +1 is smooth, record ccj+i, d,;+i and the 
factors of T i+ \. 

4. Solution of the linear algebra system 

Compute a nonzero vector in the kernel of the matrix obtained at step 3. 

5. Final solution 

Compute A (if (3 = 0, return to step 2). 

Note that in step 3, the factorization of a(x) is done in two parts: we first 
check if a(x) splits over F g by breaking down a(x) into squarefree factors and 
checking that the factors divide x q —x. If a(x) splits in F (/ , we can then completely 
factor a(x) using Cantor-Zassenhaus. The second part, which is probabilistic, is 
obviously skipped if a(x) does not split over F (; (in that case, the divisor is not 
potentially smooth and obviously cannot be smooth) . 



Nicolas Theriault 


4 Second Algorithm 

The new improvement to the index calculus mimics the use of large primes in 
the number field sieve. We again reduce the size of the factor base as much as 
possible to reduce the time required to solve the linear algebra system without 
making the search for smooth divisors too costly. This time however, we make 
use of the points in V which are not part of the factor base. 

If q > (g — l)\/g, we can play the almost-smooth divisors against each other 
to cancel the large primes to bring the running time down to 

o( 9 V'-»V<). 

For the analysis, we once again assume that q > (g — l)\/g and that the 
factor base has size \B\ = q r with | < r < 1. 

4.1 Large Primes 

To make use of the almost-smooth divisors, we consider them in the order in 
which they appear during the search. 

Definition 7. Let Ti be an almost-smooth divisor with the large prime P . Ti 
will be called an intersection if one of the previous Tj (j < i) has large prime 
±P. 

If two almost-smooth divisors Ti , T 2 have large prime P, i.e. if they can be 
written in the form 

n = d(p) + y D (Pi,i ) and t 2 = d(p) + y D ( p * ,<) 

i= 1 i = 1 

with Pi i, P 2i G B, we consider 

ki — 1 &2 — 1 

Tl - T2 = E - E D ^d) 

and set T' = T\— (after doing all the extra cancellations that may be necessary 
if Pij = P 2 J for some pair i,j). 

If Ti,T 2 are almost-smooth divisors such that Ti has large prime P and T 2 
has large prime — P, i.e. if they can be written in the form 

fei-l fc 2 - 1 

Ti = D(P) + Y D ( p i ,0 and T 2 = D (~ P ) + E D{P Li) 

i= 1 i=l 

with Pi 1 i,P 2 ,i € B, we consider 

ki — 1 k2 — 1 

ti+t 2 = Y D ( p hi)+ E^( p 2,d 
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and set V = Ti+T 2 (after doing all the extra cancellations that may be necessary 
if P\., = —P‘2.j for some pair i,j). 

In both cases, V factors over the factor base even though it may not be 
smooth ( T ' need not be reduced). For the linear algebra, the vector associated 
with T' will work in exactly the same way as if it was the difference of two 
smooth divisors with a common Pi £ B and will have weight < 2 g. 

Proposition 2. Each intersection is counted only once no matter how many 
times the large prime (or its negative) appeared before. 

Proof. Let P be a large prime. Suppose that k > 1 almost-smooth divisors with 
large prime P or —P occurred during the random walk, say Tj 1 , Tj 2 , . . . , Tj k , 
k — 1 of which are intersections. Using the same idea as described in Sect. 2.5, 
we associate the Tjf s to vectors vi, v 2 , . . . , v/,. with an extra coordinate for 
D(P). In order to use these to add information to the linear algebra system, 
we must cancel out the coordinate associated to D(P). If we use vi to do the 
cancellation in the other Vj’s, we obtain k — 1 vectors v 2 , . . . , v). which are then 
used to construct M (after removing the coordinate associated to D(P)). Since 

span {vi, v 2 , . . . , Vk} = span{v i, v 2 , . . . , v' fe } , 

once Tj 1 has been used to cancel the large prime in T :h , using another T, n to do 
the cancellation again does not produce any supplementary information for the 
linaer algebra system. Q.E.D. 

We therefore look for intersections of almost-smooth divisors and use these 
to obtain extra equations in our linear algebra system. 

The advantage of this method is that the number of almost-smooth divisors 
is greater than the number of smooth divisors by a factor of 0(gq 1 2 ~ r ) and the 
search should produce more intersections of almost-smooth divisors than smooth 
divisors. 

For the analysis, we will assume that any point P t in V such that Pi = —Pi 
is in the factor base and that a point is in the factor base if and only if its 
negative is also in the factor base. This has no efffect on the running time, but 
it simplifies the analysis (in particular for Theorem 1). 


4.2 Algorithm 

The second algorithm can be summarized has follows (all steps, except 3c, work 
in the same way as in the first algorithm). 


1 . Search for the elements of the factor 

2. Initialization of the random walk 
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3. Search for smooth divisors (random walk) 

a) Search for potentially smooth divisors 

b) Factorization of the potentially smooth divisors 

c) Cancellation of the Large Primes 

If the divisor is almost-smooth, check whether or not it is an intersection. 
If not, add it to the list of non-intersections. If it is an intersection, cancel 
its large prime and use the result as if it were a smooth divisor. 

d) Construction of the linear algebra system 

4. Solution of the linear algebra system 

5. Final solution 

5 Running-Time Analysis 

5.1 Factor Base 

In order to choose our factor base, we look at the x-coordinates of the points in 

C(F 9 ). 

We go through the values of Xi £ F g starting from 0 and following a chosen 
order on F g . We first evaluate y 2 + h(X)y — f(X) at X = x t (this can be done in 
0(g 2 (\og(q)) 2 ) bit operations). We then factor the quadratic polynomial in Fjy] 
obtained which takes 0((log(g)) 2 ) bit operations. If the polynomial has roots 
Vi, l, Vi, 2 in F g (t/j if we have a double root), we include (xi, t/q) and ( Xi,y i3 ) in 
B. We then go on to the next x t £ ¥ q until |B| = q r . 

This method will require 0(q) tries for the possible x-coordinates, each taking 
0(g 2 (\og(q)) 2 ) bit operations, for a total of 

0(g 2 q(log(q)) 2 ) 

bit operations to build the factor base. 


5.2 Initialization 

To initialize the Random walk, we need to precompute the divisors TW used in 
the state function 1Z : J q x {0,1,..., n} — »• J q as well as T 0 . 

For each T W (and for To), we choose both a (t> and /?W randomly in (1,2,..., 
( | J q | — 1)} and set TW = + f3 < ' z ' , D 2 . We then need 0(glog(g)) Jaco- 

bian operations to compute each of the T^’s, each Jacobian operation tak- 
ing 0{g 2 {\og{q)') 2 ) bit operations. In practice, we can take n = 0(\og(\J q \)) = 
0(glog(q)), which gives a total of 

0(2 4 log(g) 4 ) 

bit operations to initialize the random walk. 
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5.3 Smooth Divisors 

Proposition 3. For | < r < 1, there are + O (^ 9 9 ^ smooth divisors 
in J q . 

Proof. All smooth divisors relative to B can be written in the form -D(P*) 
with the P^s in B and k < g. To count to number of smooth divisors, we need 
to consider the number of distinct Pj’s in the representation of the divisors. The 
number of smooth divisors with g distinct Pj’s is: 


alW 


q rg q r(g-l) 

~g\~ 2{g-2)\ 


+ o (g r ^- 2) ) . 


The number of smooth divisors with g — 1 distinct Pj’s, one of which is repeated 

^nV->>^ +0 (,-). 

The number of smooth divisors with g—1 distinct Pj’s, none of which are repeated 

Finally, the number of smooth divisors with less than g—1 distinct Pj’s is 
O (q r( ' a 2 )). This gives a total of 


smooth divisors relative to B. Q.E.D. 

The proportion of smooth divisors in J q is then 

fl ! V 9 ! 


q 9 + 0(gq 9 ~2) 9'- \ 9- 

so we expect to have to look at 

O (■ g\q {1 ~ r) 9 ) 

divsiors for each smooth divisor found in the search. 


5.4 Potentially Smooth Divisors 

Proposition 4. For | < r < 1, there are ^ + O potentially smooth 

divisors in J q . 
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Proof. All smooth divisors relative to V can be written in the form D(Pi) 
with the Pf s in V and k < g. To count to number of smooth divisors, we need 
to consider the number of distinct Pf s in the representation of the divisors. 
Since \V\ = q + O (^/q) (from Hasse’s bound), the number of potentially smooth 
divisors with g distinct Pf s is: 




The number of potentially smooth divisors with less than g distinct Pf s is 
O ( q 3-1 ), which gives a total of 



) 


potentially smooth divisors. Q.E.D. 


The proportion of potentially smooth divisors in J q is then 



qS + o(gq» 2 ) 



and we expect to have a potentially smooth divisor for every 0(g\) divisors 
computed in the search. 


5.5 Almost-Smooth Divisors 

Proposition 5. For | < r < 1 , there are g + O almost- smooth 

divisors in J q . 

Proof. Each almost-smooth divisor can be written in the form D{P ) + 
D{Pf) with P £ V \ B, the Pf s in B and k < g, so each almost-smooth 
divisor can be associated to a large prime and at most g — 1 Pf s in B. Using an 
argument similar to the one in the proof of Proposition 3, we get 

qr(g-i) / (g _ 1)2gr(g -2) 

(g- 1 )! V (5-1)! 

possible distinct choices for the Pf s in B. There are \P\ — \B\ = q — q r + 0{^/q) 
choices for the large prime, so we have 

Q rg+1 ~ r _ <f 9 n ( (g-l)q r9+1 ~ 2r \ n ( q r9+ i~ r \ 

( 5 -l)! (5-I)! + V (5-2)! ^(5-1)! ^ 

almost-smooth divisors relative to B. Since | < r < 1 and 5 > 5!, we get 

(5-1)! + \(g-l)\J 

Q.E.D. 
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The proportion of almost-smooth divisors in J q is 
a tFVT + O (^) n 

f + O^-i) («-»'■ U-1)U + 

During the search, we can expect to look at 

o((s-l)!? (1 - r)(9 " 1) ) 

divisors for each almost-smooth divisor found. 


(5-1)! 


5.6 Intersections 

We now consider the effect on the search of using almost-smooth divisors to get 
the equations required for the linear algebra more quickly. 

In order to know how many equations can be obtained from the almost- 
smooth divisors, we need an estimate of the expected number of intersections 
out of a set of s almost-smooth divisors. For this, we consider only the large 
prime of each almost-smooth divisor. 

Let Q(n, s, i) be the probability of having i intersections out of a sample 
of size s drawn with replacement from a set of n elements and let E ns be the 
expected number of intersections, i.e. 

E n>s = ^ iQ(n , s,i). 


Theorem 1. If 3 < s < n/2, then E ntS is between ^ and A (| . 

Proof. If we consider the probability of having i intersections after s + 1 draws, 
we have 

Q(n, s T M) = — — ^ — — Q{n , s,i) + — J + ^ Q(n, s, i - 1) 

since if T s+ i contains the large prime P s +i, then T s+ i is an intersection if and 
only if ±P S+ 1 appears in one of the s — i or .s — i + 1 non-intersections in the 
first i almost-smooth divisors. Then 


E„,s + i = J2iQ(n,s + l,i) 


= Ei (— ^Qtn.s.i) + — ~ - + — Q(n,s,i — 1)) 


= E 


l.n-2(s-i 
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= n y: iQ(n, s, i) + ^ * 2 Q(n, s, i) + ^ ^ Q(n, s, i - 1) 

+ 2S ^ n — (* “ 1 )<?(«■! s, * - i) - ^ ^ (* - l) 2 Q(n, s, i - 1) 

= ^ E < ^ s > o + 1 E Q(«> s ’ *) 

i=0 i=0 



Solving for E rlyS (using E n> i = 0), we get 




5.7 Search (First Algorithm) 

In order to insure the existence of a nonzero vector in the kernel of the linear 
algebra system in step 4, we need to find 0(|-B|) = 0(q r ") smooth divisors. Since 
we expect to look at O (<ji!g 9 ( 1_r )) divisors for each smooth divisor found, the 
search will take an expected 



random walk steps. 

At each step of the random walk, we first have to compute T) which requires 
0(g 2 (\og(q)) 2 ) bit operations for the arithmetic in J q . From the representation of 
Ti as [a{x). b(x)\, we can test whether or not Tj is potentially smooth by checking 
if a(x) factors into linear factors over ¥ q , which can be done in 0(g 2 log(q) 2 ) 
bit operations. We must also compute % and fi. t modulo | J q | , which requires 
0(g 2 (log(q)) 2 ) bit operations. Since this must be done for all O (g\q fl< - l ^ r>+r 'j 
divisors generated, this gives 

o(<?W (1 - r)+r iog(g) 2 ) 

bit operations. 
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We now consider the cost of completely factoring the potentially smooth 
divisors. Since there are 0 ( 5 !) divisors for each potentially smooth divisor, we 
expect to find O (gs( 1_r )+ r ) potentially smooth divisors during the search. Since 
computing the points of V in the representation of a divisor [a(x), b(x)} requires 
to completely factor a(x ) over ¥ q (to get the x-coordinates and multiplicities) and 
then evaluating b(x) at the roots of a(x) (to obtain the ^-coordinates) , which 
takes 0(g 2 log(q) 2 ) bit operations (since a(x) has degree O(g)), determining 
which potentially smooth divisors are really smooth and representing them in 
terms of the factor base takes 

O ( g 2 q 9{1 ~ r)+r log(q ) 2 ) 


bit operations. 

The search is then expected to take 

O {g 2 g\q a{1 ~ r)+r \og{q) 2S j 
bit operations for the first algorithm. 

Note that it may be possible to reduce the number of divisors to consider for 
factorization by giving conditions on the coefficients of a(x) for the divisor to 
be considered for smoothness. For exemple, if q is prime and the x-coordinates 
of the points in the factor base are between 0 and cq r , then if the divisor is 
smooth, a(x ) must be of the form x k — a,k-ix k ~ x -j* . . . with 0 < ak-i < kcq r . 
Even though this reduces the cost of testing for potentially smooth divisors and 
complete factorization, the arithmetic in J q is unaffected, and so the effect on 
the running time will be at most a constant factor. This method will not work 
for the second algorithm since there are no restrictions on the x-coordinate of 
the large prime. 


5.8 Search (Second Algorithm) 

If we let n be the number of large primes (i.e. n = q — q r + 0( s /q)) and ask that 
E n , s = 0(q r ) (i.e. so that we expect the search to yield enough intersections to 
build the linear algebra system), then we need 

s = 0 ( 9 ^) • 

It will then take 

O (s{g - !)!</" = O ((5 - l)!r/ fl 0(1 ’M 1 ) 

steps of random walk to build the linear algebra system. 

Note that we expect the search to also produce 

0(( 5 -l)!^-^-^) 
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smooth divisors, which are obviously used to get the linear algebra system but 
are not enough to have an important effect on the running time. 

As in the first algorithm, computing 7) = [a(x),b(x)}, at and /d, and testing 
whether or not T) is potentially smooth takes 0(g 2 log(q) 2 ), for a total of 

O (gglq^-W-r^ilogiq)) 2 ) 

bit operations over the whole search. 

Since one in every 0(g\) divisors is potentially smooth, we expect to find 
O / g ^ potentially smooth divisors during the search. For each 

potentially smooth divisor, we compute the points in V in its representation 
(which takes 0(g 2 log(g) 2 ) bit operations) and check if it is smooth or almost- 
smooth. If the divisor is smooth, it is used to produce the linear algebra system; 
if it is almost-smooth we look at the previous almost smooth divisors to see if it 
is an intersection, which takes 0(^ L log(g)) bit operations (there are 0(q~5~) 
non- intersections and only the large prime is considered doing this search). If we 
have an intersection, we cancel the large prime and use the resulting divisor to 
increase the size of the linear system, otherwise we add the divisor to the list of 
non-intersections. This process is expected to take 

()(gq<» '*> ’^'Vdogb,))*) 

bit operations for all the potentially smooth divisors encountered during the 
search. 

The search is then expected to take 

O ^!5 (s_1)(1_r)+2: ^ i (log(g)) 2 ) 

bit operations for the second algorithm. 


5.9 Linear Algebra 

As said before, we continue with the search until we have an overdetermined 
system. This gives us a matrix M of size 0(q r ) x 0(q T ), hence there exists a 
nonzero vector in the kernel of M. Since each row has weight O(g) (< g for 
the first algorithm and < 2 g for the second), the system is sparse with weight 
0(gq r ). 

Since M is sparse, we can use the algorithms by Lanczos [11] and Wiedemann 
[13]. We can then find a vector in the kernel of this matrix in 0(gq 2r ) operations 
modulo | J g |. Since \ J q \ = q 9 + 0(gq 9 ~ 1 ^ 2 ), finding a solution will take 

O (g 3 q 2r (log(q)) 2 ) 


bit operations. 
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5.10 Final Solution 

From the vector in the kernel of M, we have 

7 jV; = 0. 

We obtain the final solution by computing 

a = t and (3 = 7 */% 

modulo | J q \, where a,, /3, come from the representation as T-, = a t Dt + ffD 2 of 
the i th divisor used to build the linear algebra system. If fJ ^ 0, the final solution 
of the discrete log problem for the pair (Di, D 2 ) is 

A = — ^ mod \ J q \. 

Computing a and 7 requires 0(q r ) operations modulo \J q \, each of these 
operations taking 0(g 2 (log(q)) 2 ) bit operations. This gives a total of 

0(sV(log(<z)) 2 ) 

bit operations for the final step. 

5.11 Optimization (First Algorithm) 

Theorem 2. The factor base can be chosen such that the running time of the 
first algorithm becomes 

Proof. From the previous sections, the steps of the first algorithm have the 
following running times: 

1. O (sMlog(g)) 2 ) 

2. O (<? 4 (log(<7)) 4 ) 

3. O (g 2 g\q 9 -^- 1 '> r (log(q)) 2 ) 

4. O (sV’Xlog^)) 2 ) 

5. O (flV(log(<?)) 2 ) 

Since the running times for parts 1, 2 and 5 are all much smaller than those for 
parts 3 and 4 when | < r < 1, the overall running time is: 

O (5 2 5!9 s - (s - 1)r (log(9)) 2 ) + O (5V r (log(c/)) 2 ) . 

In order to minimize this, we choose r such that both parts have the same 
asymptotic form, i.e. such that 


{g-l)\q 9 - (9 ~^ r = q 2r . 
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Solving for r, we get 

= 1)0 

r 9 + 1 

and since r is indeed between | and 1 for genus > 3, this gives a running time 

° f , 2 2 9 X 

0( 5 3 (( 5 -l)!)^^(l0g(g)) 2 ). 

Finally, since (g/4) 9+1 < (g - 1)! < g 9+1 for g > 3, this is 

o («¥-**). 

Q.E.D. 

5.12 Optimization (Second Algorithm) 

Theorem 3. The factor base can be chosen such that the running time of the 
second algorithm becomes 

i +e ) . 

Proof. For the second algorithm, the steps have running times: 

1. O (g 2 q{log{q)) 2 ) 

2. O ( 5 4 (log(g)) 4 ) 

3. O (gg\q^ 9 ~ 1){1 ~ r)+r ^ (log(q)) 2 ^ 

4. O {g 3 q 2r (log(q)) 2 ) 

5. O (<7V(log(c?)) 2 ) 

Once again, steps 3 and 4 are more costly than the others, so the overall running 
time is: 

O {gg\q (9 ~ 1){1 ~ r)+ '^ >L (log(«?)) 2 ) + O ( g 3 q 2r (\og{q )) 2 ) . 

Forcing both parts to have the same asymptotic form requires 

which gives 

= 9~ |_4-iog g ((g- l)!/fl) 

9 ‘f'Jp 

and since r is indeed between | and 1 for genus > 3, this gives a running time 
of ^ a 

o ( g 3 ({g - \y./g)^q^-' (log (<7)) 2 ) . 

Finally, since (g/ 4) 9 +3 < (g — 1 )\/g < g 9+ i for g > 3, we get 

0(g 5 q 2 ~^ i+‘) . 

Q.E.D. 
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6 Memory Space 

For both algorithms, storing the linear algebra system requires O (gq r log(g)) 
bits ( 0(q r ) equations and for each equation, the factored divisor, a % and /3, each 
take 0(g\og(q)) bits). For the second algorithm, we must also store all the non- 
intersections almost-smooth divisors, which requires O (gq^w log(</) j bits (we 

expect to need 0(qw§ almost -smooth divisors, each taking 0(g log(g)) bits to 
store the factorization, and /3,), which will take more space than the linear 
algebra system. 

Substituting r with the values found in the proofs of Theorems 2 and 3, we 
get O ( y g 2 q a + 1+f ^j bits for the first algorithm and O [g' 1 q' 2a + 1 j bits for the 
second algorithm. 

7 Conclusion 

We have described two algorithms for the hyperelliptic curves discrete log prob- 
lem which improve on previously published attacks. If we compare the running 
time of these two algorithms with those of the original index calculus and the 
various “square-root” algorithms (Baby Step-Giant Step, Pollard p, etc.), for 
small genus, we have: 


1 9 1 

3 

4 

5 

6 

7 

8 

1 9 1 

square-root algorithms 

^3/2 

q 2 

q 5 / 2 

q 3 

,7/2 

q 4 

^9/2 

original index calculus 



~9 Z ~ 

q 2 


q 2 

"V 

reduced factor base 

^372- 

^87r 

-q57T- 


^77A- 

^1679- 

g 9/5 

with large primes 

^077 

^W9 

^Wir 

^22713 

g 26/15 

^30717 

^34719 


Since the running times using large primes are slightly lower than previously 
published attacks, the large primes algorithm should be taken into account when 
designing any cryptosystem based on hyperelliptic curves of genus greater than 
2. In particular, for curves of genus 3, the field of definition requires approxi- 
matively 5% more bits of memory space for the curves to give the same level 
of security as they did when the best known attacks were the square root al- 
gorithms (obviously, the cost of the group operation will also increase in con- 
sequence). The 5% increase is due to the ratio log(g')/log(g) « 21/20 required 
for the index calculus attack for a genus 3 curve defined over F, ; / to require the 
same expected running time as Pollard’s p algorithm for a genus 3 curve defined 
over the field F g . 

Note that for genus 2 curves, Gaudry showed that the linear algebra system 
can be solved in linear time (see [7]). The best possible running time for the 
index calculus (using all the points over F g as the factor base) is then 0(q), 
which is the same as Pollard’s p method and the other square roots algorithms. 
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Abstract. One of the recent thrust areas in research on hyperelliptic 
curve cryptography has been to obtain explicit formulae for perform- 
ing arithmetic in the Jacobian of such curves. We continue this line of 
research by obtaining parallel versions of such formulae. Our first contri- 
bution is to develop a general methodology for obtaining parallel algo- 
rithm of any explicit formula. Any parallel algorithm obtained using our 
methodology is provably optimal in the number of multiplication rounds. 

We next apply this methodology to Lange’s explicit formula for arith- 
metic in genus 2 hyperelliptic curve - both for the affine coordinate and 
inversion free arithmetic versions. Since encapsulated add-and-double al- 
gorithm is an important countermeasure against side channel attacks, we 
develop parallel algorithms for encapsulated add-and-double for both of 
Lange’s versions of explicit formula. For the case of inversion free arith- 
metic, we present parallel algorithms using 4, 8 and 12 multipliers. All 
parallel algorithms described in this paper are optimal in the number of 
parallel rounds. One of the conclusions from our work is the fact that 
the parallel version of inversion free arithmetic is more efficient than the 
parallel version of arithmetic using affine coordinates. 

Keywords: hyperelliptic curve cryptography, explicit formula, parallel 
algorithm, Jacobian, encapsulated add-and-double. 

1 Introduction 

Hyperelliptic curves present a rich source of abelian groups over which the dis- 
crete logarithm problem is believed to be difficult. Hence these groups can be 
used for implementation of various public key primitives. 

The main operation in a hyperelliptic curve based primitive is scalar multi- 
plication, which is the operation of computing ml, where m is an integer and X 
is a (reduced) divisor in the Jacobian of the curve. Any algorithm for scalar mul- 
tiplication requires an efficient method of performing arithmetic in the Jacobian. 
This arithmetic essentially consists of two operations - addition and doubling of 
divisors. 

The basic algorithm for performing arithmetic in the Jacobian of hyperelliptic 
curves is due to Cantor [1], However, this algorithm is not sufficiently fast for 

C.S. Laih (Ed.): ASIACRYPT 2003, LNCS 2894, pp. 93-110, 2003. 
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practical implementation. There has been extensive research on algorithms for 
efficient arithmetic. The main technique is to obtain so called “explicit formula” 
for performing addition and doubling. These explicit formulae are themselves 
composed of addition, multiplication, squaring and inversion operations over 
the underlying finite field. Moreover, these formulae are specific to a particular 
genus. Thus there are separate formulae for genus 2 and genus 3 curves. See 
Table 1 in Section 2 for more details. 

In this paper, we consider the problem of parallel execution of explicit for- 
mula. An explicit formula can contain quite a few field multiplications and squar- 
ings. (In certain cases, this can even be 50 or more.) On the other hand, the 
number of inversions is usually at most one or two. An explicit formula usu- 
ally also contains many field additions; however, the cost of a field addition is 
significantly less than the cost of a field multiplication or inversion. Hence the 
dominant operation in an explicit formula is field multiplication. 

On inspection of different explicit formulae appearing in the literature there 
appear to be groups of multiplication operations that can be executed in parallel. 
Clearly the ability to perform multiplications in parallel will improve the speed 
of execution of the algorithm. This gives rise to the following question: Given an 
explicit formula, what is the best parallel algorithm for computing the formula? 

Our first contribution is to develop a general methodology for obtaining paral- 
lel version of any explicit formula. The methodology guarantees that the obtained 
parallel version requires the minimum number of rounds. The methodology can 
be applied to any explicit formula appearing in the literature. (There could also 
be other possible applications.) 

The most efficient explicit formula for performing arithmetic in the Jacobian 
of genus 2 curve is given in [11,12]. In [11], the affine coordinate representation of 
divisors is used and both addition and doubling involve a field inversion. On the 
other hand, in [12] the explicit formula is developed for inversion free arithmetic 
in the Jacobian. 

Our second contribution is to apply our methodology to both [11] and [12]. 
For practical applications, it is necessary to consider resistance to side channel 
attacks. One important countermeasure is to perform a so-called encapsulated 
add-and-double algorithm (see [3,6,7] for details). We develop parallel versions 
of encapsulated add-and-double algorithm for both [11] and [12]. In many situ- 
ations, the number of parallel multipliers available may be limited. To deal with 
such situations we present the encapsulated add-and-double algorithm using in- 
version free arithmetic using 4, 8 and 12 multipliers. For the affine version we 
have derived an algorithm using 8 multipliers. All of our algorithms are optimal 
parallel algorithms in the sense that no other parallel algorithm can perform the 
computation in lesser number of rounds. 

Some of our results that we obtain are quite striking. For example, using 
4 multipliers, we can complete the inversion free encapsulated add-and-double 
algorithm in 27 rounds and using 8 multipliers we can complete it in 14 rounds. 
The algorithm involves 108 multiplications. In the case of arithmetic using affine 
coordinates, the 8 multiplier algorithm will complete the computation in 11 
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Table 1. Complexity of Explicit Formulae. 


Genus 

Name/Proposed in 

Characteristic 

Cost (Add) 

Cost (Double) 

Genus 2 

Cantor [19] 

All 

3 

] + 70 

m/s 



+ 76 

rn/s 


Nagao [19] 

Odd 

1 

] + 55 

[^7* 


1 

+ 55 

m/s 


Harley [5] 

Odd 

2" 

] + 27 

rn/s 


2“ 

+ 30 

m/s 


Matsuo et al [14] 

Odd 

2l 

+ 25 

m * 


2 [ 

+ 27 

[m/4 


Miyamoto et al [17] 

Odd 

1 7 

+ 26 

m/t] 


1 

+ 27 

mfl 


Takahashi [23] 

Odd 

1 i 

+ 25 

mfs. 


1 

+ 29 

mfs. 


Lange [11] 

All 

l[*]+22[m]+3[s] 

1 [*] + 22 [m] + 5[s] 

Lange [12] 

All 

40 [m] + 6[s] 

47 [m] + 4[s] 

Genus 3 

Nagao [19] 

Odd 

2 [i] + 154 [m/s] 

2[i] + 146 [m/s] 

Pelzl et al [20] 

All 

l[i] + 70 [m] + 6[s] 

1[«] + 61 [m] + 10 [s] 

Genus 4 

Pelzl et al [21] 

All 

2[t] + 160[m]+4[s] 

2 [i\ + 193[m] + 16[s] 


rounds including an inversion round. Usually inversions are a few times costlier 
than multiplications, the actual figure being dependent upon exact implemen- 
tation details. However, from our results it is clear that in general the parallel 
version of arithmetic using affine coordinates will be costlier than the parallel 
versio n of inversion free arithmetic. 

2 Preliminaries of Hyperelliptic Curves 

In this section, we give a brief overview of hyperelliptic curves. For details, 
readers can refer to [15]. Let it' be a field and let K be the algebraic closure 
of K. A hyperelliptic curve C of genus g over K is an equation of the form 
C : v 2 + h(u)v = f(u) where h(u) in K[u\ is a polynomial of degree at most 
g, f(u ) in K[u] is a monic polynomial of degree 2g + 1, and there are no singular 
points (u, v ) in KxK. Unlike ellip tic curves, the points on the hyperelliptic curve 
do not form a group. The additive group on which the cryptographic primitives 
are implemented is the divisor class group. Each element of this group is a reduced 
divisor. The group elements have a nice cannonical representation by means of 
two polynomials of small degree. The algorithms Koblitz [8] proposed for divisor 
addition and doubling are known as Cantor’s algorithms. 

Spallek [22] made the first attempt to compute divisor addition by explicit 
formula for genus 2 curves over fields of odd characteristic. Harley [5] improved 
the running time of the algorithm in [22] . Gaudry and Harley [4] observed that 
one can derive different explicit formula for divisor operations depending upon 
the weight of the divisors. In 2000, Nagao [19] proposed two algorithms; one 
for polynomial division without any inversion and another for extended gcd 
computation of polynomials requiring only one inversion. Both these algorithms 
can be applied to Cantor’s algorithm to improve efficiency. Lange [10] generalised 
Harley’s approach to curves over fields of even characteristic. Takahashi [23] and 
Miyamoto, Doi, Matsuo, Chao and Tsujii [17] achieved furthur speed-up using 
Montgomery’s trick to reduce the number of inversions to 1. For genus 2 curves, 
the fastest version of explicit formula for inversion free arithmetic is given in [12] 
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and the fastest version of explicit formula using affine coordinates is given in [11]. 
Lange has also proposed various co-ordinate systems and explicite formula for 
arithmetic of genus 2 curves over them. Interested readers can refer to [13] . For 
genus 3 curves Pelzl, Wollinger, Guajardo and Paar [20] have proposed explicit 
formula for performing arithmetic. For genus 4 curves, Pelzl, Wollinger and Paar 
have derived explicit formuae [21]. Curves of genus 5 and above are considered 
insecure for cryptographic use. 

We summarise the complexity of various explicit formulae proposed in liter- 
ature in Table 1. The cost generally correspond to the most general case. In the 
cost column, [i] , [m] , [s] stand for the time taken by an inversion, a multiplication 
and a squaring in the underlying field respectively. The notation, [m/s] stands for 
time of a square or multiplication. In the corresponding papers, multiplications 
and squarings have been treated to be of the same complexity. 

3 General Methodology for Parallelizing Explicit Formula 

An explicit formula for performing doubling (resp. addition) in the Jacobian of a 
hyperelliptic curve is an algorithm which takes one (resp. two) reduced divisor (s) 
as input and produces a reduced divisor as output. Also the parameters of the 
curve are available to the algorithm. The algorithm proceeds by a sequence 
of elementary operations, where each operation is either a multiplication or an 
addition or an inversion over the underlying field. In general the formulae involve 
one inversion. If there is one inversion, the inversion operation can be neglected 
and the parallel version can be prepared without it. Later, it can be plugged in as 
a separate round at an appropriate place. The same is true if the formula contains 
more than one inversions. Hence, we can assume that the formula is inversion- 
free. The cost of a field multiplication (or squaring) is significantly more than 
the cost of a field addition and hence the number of field multiplications is 
the dominant factor determining the cost of the alg orithm. On inspection of 
the different explicit formulae available in the literature, it appears that there 
are groups of multiplication operations which can be performed in parallel. The 
ability to perform several mulitplications in parallel can significantly improve the 
total computation time. So the key problem that we consider is the following: 
Given an explicit formula, identify the groups of multiplication operations that 
can he performed in parallel. In this section we develop a general methodology 
for solving this problem. 

Let T be an explicit formula. Then T consists of mulitiplication and addition 
operations. Also several intermediate variables are involved. First we perform the 
following preprocessing on T . 

1. Convert all multiplications to binary operation : Operations which are ex- 
pressed as a product of three or more variables are rewritten as a seqence 

of binary operations. For example, the operation = P 1 P 2 P 3 is rewritten as 

Pi = P 1 P 2 and p 5 = p 3 p 4 - 



Parallelizing Explicit Formula for Arithmetic in the Jacobian 


97 


2. Reduce multiplication depth : Suppose we are required to perform the fol- 
lowing sequence of operations: P 3 = P1P2', Pa = P3P2 ■ The straightforward 
way of converting to binary results in the following sequence of operations: 
ti = Pi', P3 = t\P2', Pa = P:iP‘i ■ Note that the three operations have to be 
done sequentially one after another. On the other hand, suppose we perform 
the operations in the following manner: {t\ = pj: O = P2, } {p .3 = tiP2', Pa = 

In this case, the operations within {} can be performed in parallel and 
hence the computation can be completed in two parallel rounds. The total 
number of operations increases to 4, but the number of parallel rounds is 
less. We have performed such operation using inspection. We also note that 
it should be fruitful to consider algorithmic approach to this step. 

3. Eliminate reuse of variable names : Consider the following sequence of op- 
erations: 


qi = Pi + P2\ 52 = P 3 ', ■ ■ ■', Qi = Pa + Pa', ■ ■ ■ 

In this case, at different points of the algorithm, the intermediate variable q\ 
is used to store the values of both p\ + P 2 and pa+P 5 - During the process of 
devising the parallel algorithm we rename the variable q\ storing the value 
of pa + P 5 by a unique new name. In the parallel algorithm we can again 
suitably rename it to avoid the overhead cost of initialising a new variable. 

4. Labeling process : We assign unique labels to the addition and mulitplication 
operations and unique names to the intermediate variables. 

Given a formula J 7 , we define a directed acyclic graph G{T) in the following 
fashion. 

- The nodes of G{T) correspond to the arithmetic operations and variables of 
J 7 . Also there are nodes for the parameters of the input divisor (s) as well as 
for the parameters of the curve. 

- The arcs are defined as follows: Suppose id :r = qp is a multiplication op- 
eration. The identifier id is the label assigned to this operation. Then the 
following arcs are present in G(fF) : (q. id), (p, id) and (id, r). Similarly, the 
arcs for the addition operations are defined, with the only difference being 
the fact that the indegree of an addition node may be greater than two. 

Proposition 1. The following are true for the graph G{T) . 

1. The indegree of variable nodes corresponding to the parameters of the input 
divisors and the parameters of the curve is zero. 

2. The indegree of any node corresponding to an intermediate variable is one. 

3. The outdegree of any node corresponding to an addition or multiplication 
operation is one. 

Note that the outdegree of nodes corresponding to variables can be greater than 
one. This happens when the variable is required as input to more than one arith- 
metic operation. Our aim is to identify the groups of multiplication operations 
that can be performed in parallel. For this purpose, we prepare another graph 
G*(fF) from G{T) in the following manner: 
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- The nodes of G* {T) are the nodes of G{T) which correspond to multiplica- 
tion operation. 

— There is an arc (idi,id 2 ) from node idi to node id 2 in G*(JF) only if there 
is a path from idi to id 2 in G(fF) which does not pass through another 
multiplication node. 

The graph G* (T) captures the ordering relation between the multiplication op- 
erations of T . Thus, if there is an arc (id x , id 2 ) in G*(!F), then the operation id x 
must be done before the operation id 2 . We now define a sequence of subgraphs 
of G'*(J r ) and a sequence of subsets of nodes of G*(!F) in the following manner. 

- Gi (.F) = G* (fF) and M-j is the set of nodes of G i whose indegree is zero. 

— For i > 2, Gi is the graph obtained from Gj_i by deleting the set M t _i from 
Gj_i and Mi is the set of nodes of Gi whose indegree is zero. 

Let r be the least positive integer such that G r+ i is the empty graph, i.e., on 
removing M r from G r , the resulting graph becomes empty. 

Proposition 2. The following statements hold for the graph G*(IF). 

1. The sequence Mi, . . . , M r forms a partition of the nodes of G*(iF). 

2. All the multiplications in any Mi can be performed in parallel. 

3. There is a path in G*(iF) from some vertex in M\ to some vertex in M r . 
Consequently, at least r parallel multiplication rounds are required to perform 
the computation of T . 

It is easy to obtain the sets Mfs from the graph G*(fF) by a modification 
of the standard topological sort algorithm [2]. The sets Mi (1 < i < r) rep- 
resent only the multiplication operations of T. To obtain a complete parallel 
algorithm, we have to organize the addition operations and take care of the in- 
termediate variables. There may be some addition operations at the beginning 
of the formula. Since additions are to be performed sequentially, we can ignore 
these additions while deriving the parallelised formula, treating the sums they 
produce as inputs. Later, they can be plugged in at the beginning of the formula. 

For 1 < i < r— 1, let Ai be the set of addition nodes which lie on a path from 
some node in M, to some node in M i+1 . Further, let A r be the set of addition 
nodes which lie on a path originating from some node in M r . There may be more 
than one addition operation in a path from a node in Mi to a node in M i+ i. 
These additions have to be performed in a sequential manner. (Note that we are 
assuming that T starts with a set of multiplication operations and ends with a 
set of addition operations. It is easy to generalize to a more general form.) 

Each multiplication and addition operation produces a value which is stored 
in an intermediate variable. We now describe the method of obtaining the set of 
intermediate variables required at each stage of computation. Let 1 \ , . . . , 1%. and 

Oi 0 2r be two sequences of subsets of nodes of G(fF), where each /, and Oj 

contain nodes of G(fF) corresponding to variables. The parameters of the curve 
and the input divisor(s) are not included in any of the 7j and Oj’s. These ar e 
assumed to be additionally present throughout the algorithm. For 1 < i < r, 
these sets are defined as follows: 
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1. hi-i contains intermediate variables which are the inputs to the multiplic- 
ation nodes in M*. 

2. fa contains intermediate variables which are the inputs to the addition no- 
des in Aj. 

3. O 21 — l contains intermediate variables which are the outputs of the multipl- 
ication nodes in M*. 

4. contains intermediate variables which are the outputs of the addition 
nodes in A*. 

For 1 < j < 2 r, define 


v j = (uUO i )n(u 2 i L j+1 i i ). (l) 

If a variable x is in Vj, then it has been produced by some previous operation 
and will be required in some subsequent operation. We define the parallel version 
par(JP) of T as a, sequence of rounds 

par (F) = (n 1 ,...,n r ). (2) 

where TZi = ( M , , VA_ i , A, , V 2-1 ) ■ In round i, the multiplications in M t can be 
performed in parallel; the sets VA-i and V 2 i are the sets of intermediate variables 
and Ai is the set of addition operations. Note that the addition operations are 
not meant to be performed in parallel. Indeed, in certain cases the addition 
operations in A* have to be performed in a sequential manner. We define several 
parameters of par(JP). 

Definition 1. Let par(^") = (7£i, . . . , lZ r ), be the r-round parallel version of the 
explicit formula T ■ Then 

1. The total number of multiplications (including squarings) occuring in par {fF) 
will be denoted by TM . 

2. The multiplication width (MW) of par(.F) is defined to be MW = maxi<j<^ 
\Mi\. 

3. The buffer width (BW) of par(.F) is defined to be BW = maxi<j< 2r |V)|. 

f. A path from a node in Mi to a node in M r is called a critical path in par(^"). 

5. The value r is the critical path length (CPL) of par(iF). 


The parameter MW denotes the maximum number of multipliers that can oper- 
ate in parallel. Using MW parallel multipliers T can be computed in r parallel 
rounds. The buffer width BW denotes the maximum number of variables that 
are required to be stored at any stage in the parallel algorithm. 

3.1 Decreasing the Multiplication Width 

The method described above yeilds a parallel algorithm par (J 7 ) for a given ex- 
plicit formula T. It also fixes the number of computational rounds r required to 
execute the algorithm using MW number of proessors. By definition, MW is the 
maximum number of multiplications taking place in a round. However, it may 
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happen that in many rounds the actual number of multiplications is less than 
MW. If we use MW multipliers, then some of the multipliers will be idle in such 
rounds. The most ideal scenario is MW « [TM/r]. However, such an ideal situa- 
tion may not come about automatically. We next describe a method for making 
the distribution of the number of multiplication operations more uniform among 
various rounds. 

We first prepare a requirement table. It is a table containing data about the 
intermediate variables created in the algorithm. For every variable it contains 
the name of the variables used in the expressions computing it, the latest round 
in which one of such variables is created and the earliest round in which the 
variable itself is used. For example, suppose an intermediate variable v x = v y * v z 
is computed in the j-th round. Of v y and v z , let v z be the one which is computed 
later and in the f-th round. Let v x be used earliest in the fc-th round. Then in 
the requirement table we have an entry for v x consisting of v y . v z , i, k. If both of 
v x and v y are input values then we may take i = 0. Note that we have i < j < k. 

Now suppose, there are more than |"TM/r] multiplications in the j-th round. 
Further suppose that for some jj (i + 1 < j\ < k — 1), the number of multiplica- 
tions in the jj^ 1 round is less than [~TM/r]. Then we transfer the multiplication 
producing v x to the jp 1 round and hence reduce the multiplication width of 
the j-th round. This change of position of the multiplication operation does not 
affect the correctness of the algorithm. 

This procedure is applied as many times as possible to rounds which contain 
more than [~TM/r] multiplications. As a result we obtain a parallel algorithm 
with a more uniform distribution of number of multiplication operations over 
the rounds and consequently reduces the value of MW. 

3.2 Managing Buffer Width 

The parameter BW provides the value of the maximum number of intermediate 
variables that is required to be stored at any point in the algorithm. This is 
an important parameter for applications where the amount of memory is lim- 
ited. We justify that obtaining parallel version of an explicit formula does not 
substantially change the buffer width. Our argument is as follows. 

First note that the total number of multiplications in the parallel version is 
roughly the same as the total number of multiplications in the original explicit 
formula. The only place where the number of multiplications increases is in the 
preprocessing step of reducing the multiplication depth. Moreover, the increase 
is only a few multiplications. The total number of addition operations remain the 
same in both sequential and parallel versions. Since the total numbers of multi- 
plications and additions are roughly the same, the total number of intermediate 
variables also remains roughly the same. 

Suppose that after round k in the execution of the parallel version, i inter- 
mediate variables have to be stored. Now consider a sequential execution of the 
explicit formula. Clearly, in the sequential execution, all operations upto round 
k has to be executed before any operation of round greater than k can be exe- 
cuted. The i intermediate variables that are required to be stored after round k 
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are required as inputs to operations in round greater than k. Hence these inter- 
mediate variables are al so required to be stored in the sequential execution of 
the explicit formula. 

4 Application to Lange’s Explicit Formulae 

In [11] and [12], Lange presented explicit formulae for addition and doubling 
in the Jacobian of genus 2 hyperelliptic curves. In fact, there are many special 
cases involved in these explicit formulae and our methodology can be applied to 
all the cases. But to be brief, we restrict our attention to the most general and 
frequent case only. The formulae in [11] uses an inversion each for addition and 
doubling while the formulae in [12] does not require any inversion. 

We apply the methodology described in Section 3 separately to the formulae 
in [11] and [12]. In the case of addition, the inputs are two divisors Di and D 2 
and in the case of doubling the input is only one divisor D\. We use the following 
conventions. 

— We assume that the curve parameters h 2 , hi, h 0 , / 4 , / 3 , f 2 , fi,fo are available 
to the algorithm. 

— We do not distinguish between squaring and multiplication. 

— The labels for the arithmetic operations in the explicit formula for addition 
start with A and the labels for the arithmetic operations in the explicit 
formula for doubling start with D. The second letter of the label (M or A) 
denotes (m)ultiplication or (a)ddition over the underlying field. Thus AM23 
denotes the 23 r< ^ multiplication in the explicit formula for addition. 

— The intermediate variables for the explicit formula for addition are of the 
form pi and the intermediate variables for the explicit formula for doubling 
are of the form qj . 

— In [11,12], multiplications by curve constants are presented. However, during 
the total multiplication count, some of these operations are ignored, since for 
most practical applications the related curve constants will be 0 or 1. In this 
section, we include the multiplication by the curve parameters. In Section 5, 
we consider the situation where these are 0 or 1. 

— The set of intermediate variables (Vi’s) required at any stage is called the 
buffer state. 

4.1 Inversion Free Arithmetic 

In this section, we consider the result of application of the method of Section 3 
to the inversion free formula for addition and doubling given in [12]. The details 
are presented in the Appendix. The details of addition formula is presented in 
Section A.l and the details of the doubling formula is presented in Section A. 2. 
We present a summary of the parameters of the parallel versions in Table 2. 

Based on Table 2 and Proposition 2(3), we obtain the following result. 
Theorem 1. Any parallel algorithm for executing either the explicit formula for 
addition or the explicit formula for doubling presented in [12] will require at least 
8 parallel multiplication rounds. Consequently, the parallel algorithms presented 
in Sections A.l and A. 2 are optimal algorithms. 



102 Pradeep Kumar Mishra and Palash Sarkar 


Table 2. Parameters for parallel versions of explicit formula in [12]. 


Add 

Double 


MWlBW 

8 20 
11 15 


CPL 

8 

8 


TM 

50 

65 


4.2 Arithmetic Using Affine Coordinates 

The most efficient explicit formula for arithmetic using affine coordinates has 
been presented in [11]. Here we consider the result of applying the methodology 
of Section 3 to this formula. Again due to lack of space we present the details full 
version of the paper. The parallel version of the addition formula is presented 
therein. 

A summary of the results is presented in Table 3. 


Table 3. Parameters for parallel versions of explicit formula in [11]. 


Add 

Double 


Including 


inversion 


We have the following result about the parallel versions of the explicit formula 
in [11], 

Theorem 2. Any parallel algorithm for executing the explicit formula for ad- 
dition (resp. doubling) presented in [11] will require at least 7 (resp. 8) parallel 
multiplication rounds. Consequently, the parallel algorithms presented in [16] are 
optimal algorithms. 

5 Encapsulated Addition and Doubling Algorithm 

In this section, we address several issues required for actual implementation. 

- The algorithms of Section A include multiplications by the parameters of 
the curve. However, we can assume that /12 € (0, 1}. If /12 7^ 0, then by 
substituting y = h\y and x = h^x and dividing the resulting equation 
by hf, we can make fog 1 • Also, if the underlying field is not of char- 
acteristic 5, we can assume that / 4 = 0. Otherwise, we can make it so by 
substituting x = (x — /4/5). In the algorithms presented below, we assume 
that /12 € {0,1} and f^ = 0 and hence the corresponding multiplications are 
ignored. These decreases the total number of multiplications and hence also 
the number of parallel rounds. In most applications hi, ho also are in {0, 1}. 
Hence efficiency in such situations can go up further. Thus all the operations 
in Section A of Appendix do not occur in the algorithms in this section. 
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- The usual add-and-double scalar multiplication algorithm is susceptible to 
side channel attacks. One of the main countermeasures is to perform both 
addition and doubling at each stage of scalar multiplication (see [3]). We call 
such an algorithm an encapsulated add-and-double algorithm. The parallel 
algorithms we present in this section are encapsulated add-and-double algo- 
rithms. All of them take as input two divisors Di and and produce as 
output .Di + D 2 and 2Di . 


5.1 Inversion Free Arithmetic 

In this section, we consider parallel version of encapsulated add-and-double for- 
mula. We obtain the algorithms from the individual algorithms presented in 
Section A.l and A.2. 

First we note that the total number of multiplication operations for encap- 
sulated add-and-double under the above mentioned conditions is 108. Since the 
value of MW for addition is 8 and for doubling is 11 and both have CPL = 8, 
a total of 19 parallel finite field multipliers can complete encapsulated addition 
and doubling in 8 parallel rounds. However, 19 parallel finite field multipliers 
may be too costly. Hence we describe algorithms with 4, 8 and 12 parallel multi- 
pliers. (Note that an algorithm with two multipliers is easy to obtain - we assign 
one multiplier to perform addition and the other to perform doubling.) 

Suppose the number of multipliers is to and the total number of operations is 
TM. Then at least |~ (TM /m)] parallel rounds are necessary. Any algorithm which 
performs the computation in these many rounds will be called a best algorithm. 
Our parallel algorithms with 4 and 8 multipliers are best algorithms. Further, 
our algorithm with 12 multipliers is optimal in the sense that no other parallel 
algorithm with 12 multipliers can complete the computation in less rounds. 

The actual algorithms for performing inversion free arithmetic with 4 pro- 
cessors is presented in Table 5. Such tables for 8 and 12 processors are presented 
in the full version of the paper. This table only lists the multiplication and addi- 
tion of field elements. Interested readers can access the full version of the paper 
at [16] . The labels in the table refer to the labels of operations in the algorithms 
in Section A.l and A. 2. We present a summary of the results in Table 2. 

Table 4. Summary of algorithms with varying number of processors for inversion free 
arithmetic of [12]. 


[No of Multipliers I 2 I 4 I 8 1 12 1 
[Number of rounds|54|27|l4|l0| 


5.2 Affine Coordinates 

An eight multiplier parallel version of explicit formula for encapsulated add-and- 
double is presented in the full version of the paper. In this case the total number 
of multiplications is 65. The eight multiplier algorithm requires 11 parallel rounds 
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Table 5. Computation chart using four parallel multipliers for inversion free arithmetic 
of [12], 


Rnd 

Operation 

1 

AM01, AM02, AM03, AM04 

2 

AM05, AM06, AM07, AM08 


AA01, AA02, AA03, AA04 

3 

DM01, DM02, DM04, DM08 


DA01, DA02, DA03, DA04 

4 

DM09, AM09, AM10, AM11 


DA05, DA06, DA07, AA07, AA08, AA09 

5 

AM12, AM13, AM14, AM16 


AA05, AA06 

6 

DM12, DM13, DM14, DM15 


DA08 

7 

DM16, DM17, DM18, DM19 


DA09, DA10 

8 

DM20, DM22, AM17, AM18 


AA10, DA11, DA11, DA12, DA13 

9 

AM19, AM20, AM21, AM22 


AA12, AA13, AA14, AA15 

W~ 

DM23, DM24, DM25, DM26 


DAM, DA15, DA16, DA17, DA18, DA19 

11 

DM27, DM29, AM23, AM24 

12 

AM25, AM26, AM27, AM28 

13 

AM29, AM30, DM30, DM31 


AA16, AA17 

14 

DM32, DM33, DM34, DM35 


DA20, DA21 

15 

AM31, AM32, AM33, AM34 


AA18, AA19 

16 

AM35, AM37, AM38, DM36 

17 

DM37, DM38, DM39, DM41 

18 

DM43, AM39, AM40, AM41 

19 

AM42, AM43, AM44, AM46 


AA20, AA21, AA22, AA23, AA24, AA25 

20 

DM44, DM45, DM46, DM47 

21 

DM48, DM49, DM50, AM47 


DA22, DA23, DA24, DA25 

22 

AM48, AM49, AM50, AM51 

23 

AM52, AM53, DM51, DM52 


AA26, AA27 

24 

DM53, DM54, DM55, DM56 

25 

DM57, AM54, AM55, AM56 


DA26, DA27, DA28 

26 

AM57, DM58, DM59, DM60 


AA28, AA29, AA30, AA31 

27 

DM62, DM63, DM65, DM66 


DA29, DA30, DA31, DA32, DA33, DA34 
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including an inversion round. On the other hand, the eight multiplier algorithm 
for inversion free arithmetic requires only 14 multiplication rounds. Thus, in 
general the parallel version of inversion free arithmetic will be more efficient 
than the parallel version of arithmetic obtained from affine coordinates. 


6 Conclusion 

In this work, we have developed a general methodology for deriving parallel ver- 
sions of any explicit formula for computation of divisor addition and doubling. 
We have followed the methods to derive the parallel version of the explicit for- 
mula given in [12] and [11]. We have considered encapsulated add-and-double 
algorithms to prevent side channel attacks. Moreover, we have described parallel 
algorithms with different number of processors. 

It has been shown that for the inversion free arithmetic of [12] and with 4, 8 
and 12 field multipliers an encapsulated add-and-double can be carried out in 27, 
14 and 10 parallel rounds respectively. All these algorithms are optimal in the 
number of parallel rounds. In the case of arithmetic using affine coordinates [11], 
an eight multiplier algorithm can perform encapsulated add-and-double using 11 
rounds including an inversion round. Since an inversion is usually several times 
costlier than a multiplication, in general the parallel version of inversion free 
arithmetic will be more efficient than the parallel version of arithme tic using 
affine coordinates. 

We have applied our general methodology to explicit formula for genus 2 
curves. The same methodology can also be applied to the explicit formula for 
genus 3 curves and to other explicit formulae appearing in the literature, re- 
forming these tasks will be future research problems. 
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A Details of Parallel Versions of Explicit Formula 

The organisation of this section is as follows. 

— Parallel version of the explicit formula for addition using inversion free arith- 
metic of [12] is presented in Section A.l. 

— Parallel version of the explicit formula for doubling using inversion free arith- 
metic of [12] is presented in Section A. 2. 

Similar paralellised versions of addition and doubling algorithms for affine 

co-ordinates given in [11] have been derived using the methods presented in this 

paper and are available in the full version of the paper. Interested readers can 

find them at [16]. 
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A.l Addition Using Inversion Free Arithmetic 
Algorithm 

Input: Divisors D\ = [C/p, U 10, Vj , . F 1() . Z\\ and D 2 = [C/21, C/20, V21, V20, 4j2]- 
Output : Divisor Di + D 2 = [U[, U' 0 , V[, Vq, Z'\ 

Initial buffer: C/n, C/10, V11, V10, Z\, C/21 , C/20, V21, V20, Z 2 . 

Round 1 

AM 01 . Z = Z\Z 2 \ AM 02 . C/21 = Z\U 2 \ ; A1V103. C/20 = Z\U 2 q\ 

AM04. V 21 = Z{V 21 \ AM05. V 20 = ^iC/ 20 ; AM06. p x = U U Z 2 - 

AM07. p 2 = U\qZ 2 \ AM08. p 3 = VnZ 2 . 

Buffer: Z,U 2 \,U 2 o,V 2 \,V 2 o,p\,p 2 ,p 3 . 

AA 01 . p 4 = p 1 - C/ 2 i; AA 02 . p 5 = C/20 — Pi\ 

AA03. p6 = p 3 - V 21 ; AA04. p 7 = Z x + Pi\- 

Buffer: Z, C/21, C/20, V21, V20,P3,P4,P5,P6,Pi7,P7, Z. 

Round 2 

AM09. p 8 = C/np 4 ; AM10. pg = Zip 5 ; AM11. p 10 = Z ip 4 ; 

AM12. pn = p\\ AM13. P 12 = PaPs\ AM14. p\ 3 = h\Z\ 

AM15. P 14 = f^Z; AM16. P 15 = Uio -^2 

Buffer: Z, U 21 , U 20 , V 21 , V 20 ,Pi 5 ,p 3 ,P4,P5,Pi 7 ,P7,P8,P9,Pio,Pii,Pi 2 ,Pi 3 ,Pi4- 
AA05. pi 6 = P 15 - V 20 ; AA06. p 17 = pi 6 +p e -, 

AA07. pis = Ps + P9', AA08. p w = p w + p w ; 

AA09. P20J= P£+ £{ 21 ; 

Buffer: Z, U 21 , U 20 , U 2 i , ^20 , P15 , P3 , Pa , P17 , Pi , P12 , P13 > Pi 4 , Pis , P19 , P20 

Round 3 

AM17. P 21 = PsPW, AM18. p 22 = pnC/ 10 ; AM19. p 23 = P 19 P 1 T, 

AM20. P 24 = Pi8Pi6_ AM21. p 25 = p\ 2 p 7 \ AM22. p 2 6 = pi 2 U w -, 

Buffer: Z, C/ 21 , C/ 20 , V21, V 2 q , P 15 , P3 , P4 , Pi 3 , P 14 , P 20 , P 21 , P 22 , P 23 , P 24 , P 25 , P 2 e 
AA10. r=p 2 i+p 22 \ AA11. si = P 23 - P 24 - P 25 ; 

AA12. sq = P24 — P26i AA13. p 27 = U 2 \ + C/20; 

AA14. p 23 ^— pi 3 +J 2 V 2 u AA15. p 2 9 = p 4 + 2 C/21 - P14; 

Buffer:Z, C/21, C/20, V21, V20, r. si,so,Pm,p 3 ,P 4 ,P 20 ,P 27 ,P 28 ,P 2 9 

Round 4 

AM23. R = Zr: AM24. s 0 = s 0 Z ; AM25. s 3 = s iZ; 

AM26. S = s 0 si; AM26. p 30 = sp> 4 ; AM27. p 3 i = rp 29 -, 

AM28. p 32 = sip 28 ^AM29. t = S 1 P 20 

Buffer: C/21, C/20, V 2 i,V 2 o, r, si, so, -R, s 3 , S, t,pi5,p 3 ,p4,p 27 ,p 3 o,p 3 i,p 32 ,p 27 
AA16. p 33 = so — t, AA17. p 3 4 = t — 2so 

Buffer:C/2i, C/20, V21, V20, r, si, so, R, s 3 , S,pi 5 ,p 3 ,p 4 ,p 27 ,p 3 o,p 3 i,p 32 ,p 33 ,p 3 4 

Round 5 
AM30. S 3 = si, 


AM31. R = Rs 3 ; 


AM32. S = s 3 s 1 ; 
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AM33. S = S0S1; A1V134. lo = SU 20 ] A]M35. P35 = /i2P335 

AM36. P36 = So; AM37. pj 7 = R 2 ; 

Buffer: U 2 l,V 2 i^V 20 , h , lo , S 3 , R, S, S, S,Pi 5 ,P 3 ,P27,P30,P3UP32,P34,P35,P36,P37 
AA18. P38 = S + S\ AA19. P39=P35+P32; 

Buffer: U 21 , V 21 , V 20 , 1 2, lo, S 3 , R, S, S,p 45 , P3,P27,P30,P31,P3A,P36,P38,P39 

Round 6 

AM38. R = R.S: AM39. l 2 = SU21} AM40. p 40 = P3SP2T, 

AM41. p 41 = P30P34; AM42. p 42 = p 3 S^ AM43. p 43 = Rp 3 o\ 

AM44. p 44 = h 2 R\ AM45. p 45 = P 15 R ; 

Buffer: V21, V20, h, lo, S3, R, S, R,P31,P36,P37 ,Pao,Pai,Pa 2 ,Pa 3 ,Paa^ 

AA20. l\ = p 43 — l 2 — Iq] AA21. l 2 = l 2 + S\ 

AA22. Uq = P3S + p 4 l + p 4 2 + PA3 + P31', 

AA23. U[ = 2S — P45 + P44 — P37; 

AA24. l 2 = l 2 — U[; AA25. p 46 = U ' 0 — l 4 \ 

Buffer: U' Q , U'^V, n ,V 20 , h, lo, S 3 , R, S, R,p 46 

Round 7 

AM46. p 47 = Uq1 2 ', AM47. p 4 % = S3Z0; A1VI48. P49 = U[l 2 ; 

AM49. P 50 = S 3 p 46 ; AM50. Z' = RS 3 ; AM51. = RU , & 

AM52. U[ = RU [ ; 

Buffer state: U' 0 , U[, V 21 , V 20 , R,Pa7,Pas,Pao,P50, Z' 

AA26. p5i = P47 - Pas; _ AA27. p 52 = p 4 9 + p 50 ; 

Buffer: U 0 , U 4 , V 24 , V 2 o, R,P 5 i,P 52 , Z, 

Round 8 

AM53. p §3 = RV20; AM54. p § 4 = RV21; A1V155. P55 = h^Z 1 ', 

AM56. P56 = h\Z'\ AM57. p §7 = }i 2 Uq, A1VI58. p§g = h 2 U 4 , 

Buffer state: U' 0 ,U' 1 ,p 51 ,p 52 ,p 5 3 ,p 54 ,p 55 ,p 55 ,p 5 e ,p 5 7 ,p 58 , Z' 

AA28. P 5 Q = P51 — P53 — P55; AA29. p eo = p 52 — p 54 — p 5e ; 

AA30. Vq = p 5 7 + p 5 c,;^ ' * AA31. V 4 = pm +Pm; 

Buffer state: Uq, U' u Vq,V[, Z' 
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A. 2 Doubling Using Inversion Free Arithmetic 
Algorithm 

Input: Divisors D 3 = \Uu,Uio,Vu,Vio, ZiJ. 

Output: Divisor 2D 3 = [Uy ,Uq ,V 3 ,V g , Z ']. 

Initial Buffer: U\\,Uiq,V\i,V\q,Z\. 

Round 1 

DM01. q 0 = Zl- DM02. q x = hyZr, DM03. q 2 = h 2 U 11 ; 

DM04. q 3 = hoZr, DM05. 94 = h 2 U 10 ; DM06. q 5 = f 4 U u ; 

DM07. q 6 = h 2 Vu; DM08. q 7 = f 2 Z x : DM09. q 8 = Vn/n; 

DM10. 99 = Vioh 2 ; DM11. 910 = /4U10; 

Buffer: g 0 , 9i, 92, 93, 94, 95, 96, 97, 9s, 99, 9io 

DA01. Vi = qi + 2Vii — 52! DA02. Vo = 93 + 2Vio — 94! 

DA03. gii = 2Uio; DA04. inv 1 = — Vi; DA05. 912 = 97 — 98 — 99 — 2(710; 

DA06. 913 = 29 h + 9io + 96! DA07. 914 = 9n + 2 97 + 96; 

Buffer: inv 1, Vi, V 0 , 9o, 914, 9n9i2, 913 

Round 2 

DM12. q 15 = DM13. q 16 = Uj x : DM14. q 17 = V 0 Z i; 

DM15. gi 8 = UnVi ; DM16. q 19 = V 7 ; DM17. q 20 = /390; 

DM18. 921 = q 72 Z\\ DM19. q 22 = q\ 3 Z\ ; DM20. 923 = quZ\\ 

DM21. (724 = h 2 Un; DM!22. 925 = hy Z \ : 

Buffer:ini;i, Vl, Vo, 9o, 915, 9i6, 9i7, 9i8, 9i9, 920, 921, 922, 923, 924, 925 
DA08. 926 = 917918; DA09. 927 = 920 + 91&PAIO. 928 = 922 — 927; 

DA11. ky = 2qy 6 + 927 — 923? DA12. q 29 = q 21 — q 15 -, 

DA13. 930 =~2Vio — 924 + 925; 

Buffer :invi, V 0 , ki,q 0 , 919, q 26 , q 27 , 92s, 929, 930 

Round 3 

DM23. 931 = Vo 926; DM24. q 32 = 919U10; DM25. 933 

DM26. 934 = ^1929; DM27. 935 = k\inv\\ DM!28. 936 

DM29. 937 = ZiUi 0 ; 

Buffer:ini;i, fci, 90, 926, 931, 932, 937, 930, 933, 934, 935, 936 
DA14. r = 931 + 932; DA15. k 0 = 933 + 9 34 ;DA16. q 38 
DA17. 939 = inv 1 + 926; DA18. 940 

DA19. 941 = 2Un — 936; 

Buffer^, r, fc 0 , 926, 937, 930, 935, 936, 938, 939, 940, 941 

Round 4 

DM30. 1? = 9or; DM31. 942 = 938939; DM32. 943 = 935940; 

DM33. 944 = 935937; DM34. 945 = koq 2 e', DM35. 946 = r94i; 

Buffer:!?, q 30 , 945, 9 36 , 942, 943, 944, 946 

DA20. s 3 = 942 - 945 - 943; DA21. s 0 = 945 - 944! 

Buffer: !?, s 0 , s 3 , q 30 , 9 46 
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Round 5 

DM 36 . 947 = i? 2 ; DM 37 . 948 = so s 3i DM 38 . si = S3.Z1; 

DM 39 . So = Sg ; DM 40 . t = h 2 so; DM 41 . 949 = 930S3; 

DM 42 . 950 = h 2 R\ DM 43 . 951 = Ziq^o', 

Buffer: S 0 , t, si, 947, 948 , 949 , 951, 950 

Addition phase 

No addition required at this step. 

Buffer: Same as above. 


Round 6 

DM44. R = Rs\; DM45. Si = s 2 ; DM46. 952 = S1S3; 

DM47. S = 948-^1 j DM48. lo = C^io948i DM!49. 953 = R949; 

DM50. 954 = 950 S 1 ; 

Buffer: R, Si,S, S 0 , t, l 0 , 947, 948, 952, 953, 951, 954 

DA 22 . 955 = (In + C/ 10 ; DA23. 956 = 948 + 952; 

DA24. Uq = So + 953 + 1 + 951 ; 

DA25. C / 1 = 25 + 954 — 947! 

Buffer: f.'o , U 1 , lo, Si,R, 955, 952, 956 

Round 7 

DM51. 1? = R952; DM52. 957 = 956955; DM53. 95s = 5 lZo; 

DM54. Z" = SiR ; DM55. 959 = RE/" DM56. 9 60 = RU'i, 

DM57. l 2 = U xi si ; _ 

Buffer: U 0 ,U l ,Z , R, Si, lo, h, I2, 957 , 958 , 959, 960 
DA26. Zi = 957 — l 2 — lo', 

DA27. 1-2 = I 2 -S- Ui : DA28. 9 6 i = Uq - lr, 

Buffer:Z7o, U'^,Z" ,R, Si, l 2 , 958, 959, 960, 96 1 


Round 8 

DM58. 962 — U 0 I2', DM59. 963 = C/ 1 Z2; DM60. 964 = 5 i 96 i; 

DM61. 965 = h 2 qoo ; DM62. 966 = -RV10; DM63. 967 = hoZ ; 

DM64. 968 = /12959; DM65. 969 = RV11; DM66. 970 = hiZ"; 

Buffer: Z , q 58 , 959, q 60 , 962, 963, 964, 965, 966, 967, 968, 969, 970 
DA29. 971 = 962 + 958! DA30. 972 = 963 + 964! 

DA31. U 0 = 960 ; DA32. = 959; 

DA33. Kq = 971 + 965 — 966 — 967! 

DA34. = 972 + 968 — 969 — 97o; 

Buffer :Z7o,E/i,Z",F 0 ",< 
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Abstract. The Weil and Tate pairings have been used recently to build 
new schemes in cryptography. It is known that the Weil pairing takes 
longer than twice the running time of the Tate pairing. Hence it is neces- 
sary to develop more efficient implementations of the Tate pairing for the 
practical application of pairing based cryptosystems. In 2002, Barreto et 
al. and Galbraith et al. provided new algorithms for the fast computation 
of the Tate pairing in characteristic three. In this paper, we give a closed 
formula for the Tate pairing on the hyperelliptic curve y 2 = x p — x + d in 
characteristic p. This result improves the implementations in [BKLS02], 
[GHS02] for the special case p = 3. 


1 Introduction 

Pairings were first used in cryptography as a cryptanalytic tool for reducing 
the discrete log problem on some elliptic curves to the discrete log problem in 
a finite field. There are two reduction types. One uses the Weil pairing and 
is called the MOV reduction [MOV93], the other uses the Tate pairing and 
is called the FR reduction [FR94]. Positive cryptographic applications based 
on pairings arose from the work of Joux [J00], who gave a simple one round 
tripartite Diffie-Hellman protocol on supersingular curves. Curve based pairings, 
such as the Weil pairing and Tate pairing, provide a good setting for the so- 
called bilinear Diffie-Hellman problem. Many cryptographic schemes based on 
the pairings have been developed recently, such as identity based encryption 
[BF01], identity based signature schemes [SOK00], [CC03], [H02a], [P02], and 
identity based authenticated key agreement [S02] . For the practical application 
of those systems it is important to have efficient implementations of the pairings. 
According to [G01], the Tate pairing can be computed more efficiently than the 
Weil pairing. The recent papers [BKLS02], [GHS02] provide fast computations 
of the Tate pairing in characteristic three. 

Our main result in this paper is a closed expression for the Tate pairing on 
the hyperelliptic curve defined by the equation C d / k : y 2 = x p — x + d, for a 
* Supported by Korea Research Foundation Grant (KRF-2002-070-C00010) 
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prime number p congruent to 3 modulo 4 (Theorem 5). We assume that k is 
a finite extension of degree n of the prime field F p with n coprime to 2 p. The 
formula assigns to a pair (P, Q) of fc- rational points on the curve an element 
{P, Q} £ K* , where K/k is an extension of degree 2 p. By a general property of 
the Tate pairing the map is bilinear. Following Joux [J00], we can use the map to 
construct a tripartite key agreement protocol: If A, B, C are three parties with 
private keys a, b, c, and public keys aP, bP, cP, respectively, they can establish a 
common secret key a £ K* via 

a = {aP, bP} c = {bP, cP} a = {cP, aP} b £ K* . 

The computation of the Tate pairing can be performed using an algorithm first 
presented by Miller [M86]. For a general elliptic curve in characteristic three, 
the computation can be improved. For the elliptic curve E b /k : y 2 = x 3 — 
x + b, techniques specific to the curve yield further improvements [BKLS02], 
[GHS02]. We describe these algorithms and we show that the evaluation of our 
closed expression, for the special case p = 3, uses fewer logical and arithmetic 
operations. 

This paper is organized as follows. In the next section, we recall the general 
formulation of the Tate pairing. Section 3 gives useful properties of the elliptic 
curve E b : y 2 = x 3 — x +b and gives Miller’s algorithm in base 3. We also describe 
the algorithm for computing the Tate pairing due to Barreto et al. [BKLS02]. 
For comparison, we derive a closed expression for the output of the algorithm 
proposed by Barreto et al. in Section 4. Section 5 gives useful properties of the 
curve C d : y 2 = x p — x + d and we give a first algorithm to evaluate the Tate 
pairing for the curve C d . Our main result in Section 6 gives the output of this 
algorithm in closed form. The expression is then used to formulate a second 
faster algorithm. 

2 Tate Pairing 

Let X/k be an algebraic curve over a finite field k. Let Div be the group of 
divisors on X, Div 0 the subgroup of divisors of degree zero, Prin the subgroup 
of principal divisors, and F = Div 0 /Prin the group of divisor classes of degree 
zero. For m > 0 prime to char k, let 

r[m\ = {[D] £ T : mD is principal}. 

For a rational function / and a divisor E = npP with (/) n E = 0, let 
f(E) = l[f(P) n - £k*. 


Theorem 1 ([FR94], [H02b]). The Tate pairing 

-} m : r[m] x r/mr — > k*/k* m , 
{[D],[E]} m = f D (E), 
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is well-defined, on divisor classes. The pairing is non-degenerate if and only if 
the constant field k of X contains the m-th roots of unity. Here, fp> is such that 
(fn) = mD, and we assume that the classes are represented by divisors with 
disjoint support: DC\E = $. 

For an elliptic curve E/k we can identify r with the group of rational points 
on the curve using an isomorphism E(k) ~ r, P i->- [P— 0\. For an elliptic curve 
E/k, and for D = [P — 0\, efficient computation of fn(Q) in the Tate pairing is 
achieved with a square-and-multiply strategy using Miller’s algorithm in base 2 
[M86] . 

3 The BKLS-Algorithm 

Let E + : y 2 = x 3 — x + 1 and E~ : y 2 = x :i — x — 1 be twisted elliptic curves 
over the field F3 of three elements. Their cryptographic applications have been 
studied in [K98], [DS98]. Let N be the number of points on E + or E~ over an 
extension field k = F 3 n such that gcd(n, 6) = 1. Then the Tate pairing 

{-, -} N : r[N] x r/Nr — i k*/k* n , 

{[D],[E]} n = f D (E), 

is non-degenerate for an extension K/k of degree [K : k ] =6. For the ex- 
tension K/k, E(K) contains the full 7V-torsion and the Weil pairing is also 
non-degenerate [MOV93]. 

For the curves E b , b = ±1, multiplication V 3V is particularly simple. For 
V = (a. 0), 3V = (a 9 — b, — /3 9 ). Also, taking the cube of a scalar / ^ / 3 in char- 
acteristic three has linear complexity on a normal basis. Thus, Miller’s algorithm 
will perform faster for these curves in a cube-and-multiply version (Algorithm 1). 

Next we describe further improvements to Algorithm 1 proposed in [BKLS02] , 
[GHS02]. We consider the curve E b /k : y 2 = x 3 — x + b, for b = ±1. We assume 
k is of finite degree [k : F 3 ] = n with gcd(n, 6) = 1. And we let F/k and K/k 
be extensions of degree [F : k] = 3 and [K : k] = 6, respectively. The following 
theorem and lemma are similar to Theorem 1 and Lemma 1, respectively, in 
[BKLS02], 

Theorem 2. Let N = \E(k)\. Let P,0 £ E(k) be distinct points, and let gp be 
a k-rational function with (gp) = N(P — O). For all Q 6 E(K), Q ^ P,0, 

{[P - O], (Q - 0]} n ^ /n = g P (Q)\ K ^ /N € K*. 

Proof. Taking a power of the Tate pairing gives a non-degenerate pairing with 
values in K* instead of K*/K* N . We give a different proof to show that the 
point O in Q — O can be ignored. Let to be a fc-rational local parameter for O, 
i.e. to vanishes to the order one in O. We may assume that (to) (~l P = 0. Thus 
Q — 0+ (to) ~ Q — O, such that Q — 0+ (to) fl P — O = 0. With the following 
lemma, g P (Q -0+ (t Q )) = g P (Q) G K*/K* N . □ 
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Algorithm 1 Miller’s algorithm, cube-and-multiply [GHS02], [BKLS02]. 
INPUT: P, Q € E{K), (a*) € {0, ±1} S . 

{a = 3 s + ai3 s 1 + • • • + a s — 13 + a s .} 

OUTPUT: f a (Q). 

{(/-) = <P) ~ (aP) - (« - 1)0, ( U,b ) = A + B + (—A — B) — 30.} 
ai— 1, Vi— P, fi— 1 
for i = 1 to s do 

g i- lv,v/fov,o ■ lv, 2 v /hv,o(Q ) 
a^3a,V^3V,f^f-g 
if tti = ±1 then 

g <— 1±p,v/Iv±p,o(Q) 
a«-a±l, W^V±P, fi- f-g 
end if 

(a 3* + ai3 <_1 + • • • + Hi i3 + a t , V <- aP, f <- f a {Q)-} 

end for 


Lemma 1. Let N = |S(fc)|. For a F -rational function f and for a F -rational 
divisor R such that (/) (~l R = 0, 

f(R) = 1 G K*/K* n . 

Proof. We have f(R) G F*. The group order N is an odd divisor of 3 3 " + 1. 
Therefore, the group order N is coprime to 3 3n — 1. And F* = F* N C K* N . □ 


Definition 1 ([BKLS02]). Let p G F 3 3 be a root of p 3 — p— b = 0. Let a G F32 
be a root of cr 2 + 1 = 0. Define the distortion map 

4 > : E(K) -> E(K), <t>(x,y) = (p-x,oy). (1) 

Combine the distortion map with Theorem 2 to obtain a pairing 

E(k) x E(k) —> K* , (P, Q) ^ 5p(<^(0)) |k * i/jv G K*. (2) 

The curve y 2 = x 3 — x + b has complex multiplication by —1 and the distortion 
map corresponds to multiplication by y/—l. Indeed, (p is an automorphism of E, 

(ay) 2 = -y 2 = -x 3 + x - b = (p - x) 3 - (p - x) + b. 

And <i> 2 = — 1 . The following remark is used in Theorem 3 [BKLS02] to discard 
contributions of the form lp,o((p(Q)) in the evaluation of the Tate pairing. 


Remark 1. Let P G E(k), Q G F x K, and let lp,o be the vertical line through 
P. Then l P ,o((t>(Q )) = 1 G K*/K* N . 
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Algorithm 2 E/k : y 2 = x 3 - x + b [BKLS02]. 

INPUT: P e E(k), Q = (x,y) £ F x K,a = 3 2 ” 1 " 1 ± 3 m + 1. 

{[fc : F 3 ] = 2m - 1, [F : k] = 3, [K : k] = 6, a = \E(k)\.} 

OUTPUT: f a (Q). 

{(/#N a ( p ) ~ ( aP ) - (a - 1)0, (U,b) = A + B + {-A-B)- 30.} 

for i = 1 to m — 1 do 
g <— lv,vlv,-3v{Q) 
a <r- 3a, V ir- 3V, f f ■ g {a = 3 
end for 
g <r- l±p,v(Q) 

a<— a±l, V<— V±P, f<— f-g {a-- 
for i = 1 to m do 
g <— W,vW,-3v{Q) 
a <— 3a, V <— 3V, f -t- f 3 ■ g {a = 3 
end for 
g <- lp,v(Q) 

a<— a + l, V<— V + P, f<— f-g{a-- 


. . . , 3 m-1 } 

= 3 m “ 1 ± 1 } 
n +3,...,3 2m_1 ±3 m } 
= 3 2m_1 ± 3 m + 1} 


We summarize the differences between Algorithm 1 and Algorithm 2. 

1. The distortion map gives a non-degenerate pairing on E{k) x E{k). 

2. Because of the simple ternary expansion of N, a single loop of length 2 m — 1 
containing an if statement for the adding can be replaced with two smaller 
loops each followed by an unconditional addition. 

3. The denominators in lv,v /hv,o-W, 2 v /hv,o are omitted. For P e E(k),XQ € 
F, they do not affect the value of the Tate pairing. 

4. The line ly, 2 v is written ly.-zv- Since the points V,2V and — 3V lie on a 
line, the expressions are the same, but — 3V is easier to compute than 2V. 
For V = (a,/3), -3V = (a 9 - b,p 9 ). 

We give a further analysis of Algorithm 2 in the following section. 

4 A Closed Formula for the BKLS-Algorithm 

Let E b /k : y 2 = x 3 — x + b be an elliptic curve as in Section 3. Recall from 

Definition 1 in Section 3 the pairing E(k) x E(k) — > K*, 

(P,Q) gp(<t>(Q)y K *^ /N e K*. 

For the efficient evaluation of gp{(j){Q)) we use Algorithm 2. 

Remark 2. We make three remarks. They all reflect that the lines that are com- 
puted by the algorithm can be precomputed. 
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1. After the first loop, we have, for P = (a 3 ,/? 3 ), 

hp.v - ±y ~ P(x - a + b). 

2. After the second loop V = (3 2m_1 ± 3 m )P = — P, and multiplication by 
Ip-p{Q) = lp, 0 (Q) can be omitted. 

3. Inside each loop, if we omit only the denominator l:w, 0 , we find 

(. lv,vlv,-sv/hv,o ) = 3V + (-3F) - 40. 

For V = (a, /?), the function hy : (3 3 y — (a 3 — x + l) 2 has the same divisor. 
We claim that using hy in place of ly.yly. sy uses fewer operations. 

Theorem 3 (Algorithm 2 in closed form). Let 

P = (a 3 ,p 3 )£E(k), Q = (x,y) € E(k), = (p - x,ay). 

Then, for gp with ( gp ) = N(P — Q), gp{<!){Q)) is the product of 

m - 1 

]^[ (a (3 ^ — (a^ + x <Jl ~^ — p + mb) 2 ), 

fl - (a (l) + a; (n_l) - p) 2 ), 

{±ay - @{p - x - a + 6)) (m) . 

The second remark is clear. In the remainder of this section we first prove 
the third remark, then the first remark and finally the theorem. 

Lemma 2. Let Ia,b be the line through A and B. For V = ( a, (3 ) £ E(K), 
lyy : (x — a) — /3(y - f3) = 0, 
hv,o ■ x — a — 1//3 2 = 0, 
hv,v ■ (/? 4 - 1) (x — a) - fi(y - 0) = 0, 
hv,o : x — a 9 + b = 0. 

The lines ly.y. hv.v correspond to l\ and l[, respectively, in [GHS02], up to 
a slight difference to reduce the number of operations. For the third remark, we 
compare the number of operations (Multiplication, Squaring, Addition, Frobe- 
nius). 

g lv,vly,-3v, f f 3 ■ g (4M,4A,1F) 

g <— hy, f <— f 3 ■ g (2M,1S,2A,2F) 

To establish the first remark we use the following lemma. 

Lemma 3. Let (a, (3) £ E b (F 3 ). The line l : by — /3(x — a + b) = 0 has divisor 
(a,p) + (a + 6,-/3) + {a 3 , bp 3 ) - 30. 
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Let (a, 0) e E b (k), for k of degree [k : F 3 ] = n = 2m — 1 with gcd(6,n) = 1. 

n = l(mod 3) : 3 n (a + b, -0) = (a, 0), 3 m (a + b,-0) = (a 3 ,(-l) m+1 0). 

n = 2(mod 3) : 3 n (a,0) = (a + b,—0), 3 m (a, (3) = (a 3 , (— l) m 0). 

Proof. The first claim is obvious. The last claim uses 

V = (a, 0)=> 3V = (a 9 - b, -0 9 ). 


We summarize in a table. 



n = l(mod 3 ), to = l(mod 3) 

n = 2(mod 3 ),m = 0(mod 3) 

(a,P) 

3 n W 

W 

{a + 6, -0) 

W 

3 n W 

(a 3 , b0 3 ) 

e3 m W 

e3 m W 

e 

(-!)"-*& 

(— l) m 6 


With the value of e from the table, |£J(fc)| = 3" + 1 + e3 m . 

Proposition 1. We apply the lemma. Let P = (a 3 ,0 3 ) G E b (k), for k of degree 
[k : T3] = n = 2m — 1 with gcd(6, n) = 1. The line through eP and V = 3 m ~ 1 P 
has equation 

hp,v '■ ey ~ — 01 + b) = 0. 

The third point on the line l e py is ( 01 + mb, (— l) m (3). 


Proof. Write P = 3 TO W, so that V = 3 n W. Then W is the third point on the line 
through eP and V. And W can be obtained as the unique solution to 3 m W = P. 

□ 


This proves the first remark. We can now prove Theorem 3. 

Proof. The contribution of the first loop to gp{<j>{Q)) is 

n ((-1 ) i_1 /? (2i) (o-y) - (o (2i) - (* - 1)6 - (p - x) + 6) 2 )( 2m - 1 -*) 

= IJ ((— 1 ) i - 1 /3 (i) ( CT ( "- i) y (n - i) 

i= 1 

- («W - (i - 1)6 - {p + (2m - 1 * i)b - x + 6) 2 ) 

= J^[ — (a^ + x^ n ~^ — p + mb) 2 ). 


The second loop starts with V = (a + mb, (—l) m /3) instead of V = P = (a 3 ,/? 3 ) 
and is of length m instead of length m — 1. It gives a contribution 
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JJ((-l)* +m /3( 2 * ^(cry) - (a (2 * 1:1 + (m + 1 - i)b - (p - x) + bff m *) 

- (a^- 1+i ) + (to + 1 - i)b - (p + (to - i)b - x( m -V) + bf) 

= fl (/3 W 2/ (n_i V - ( a « + *("-« - p - bf). 

The contribution from l f py follows directly from the proposition 1. This proves 
Theorem 3. □ 


5 The Curve C d : y 2 = x p — x + d 

Let C d /k be the hyperelliptic curve y 2 = x p — x + d, d = ±1. for p = 3 (mod 4). 
We assume that k is of degree [k : F p ] = n, for gcd(2 p,n) = 1, and we let F/k 
and K/k be the extensions of degree [F : k] = p and degree [K : k] = 2 p, 
respectively. Thus C d is a direct generalization of the elliptic curve E b studied 
in the previous sections. Over the extension field K, the curve is the quotient of 
a hermitian curve, hence is Hasse-Weil maximal. And the class group over K is 
annihilated by //'” + 1. The last fact can be seen also from the following lemma. 
It shows that for P £ C d (K), (jf n + 1 )(P — O) is principal. We write xS'k for 
x pZ . 

Lemma 4 ([D96],[DS98]). Let P = (a, (3) e C d . The function 
hp = (3 p y — ( a p — x + df v ^ 1 ^ 2 
has divisor (hy) = p(V) + (V') — (p+ 1)0, where 

V' = (a^ 2) + d p + d,0W). 

We will write V also for the divisor class V — O, so that V = —pV. In 
particular p pn P = —P, for P e C(K) and for Trac e K / Fp d = 0. Let M = 
p pn + 1 = |Lf*|/|F*|. Thus, the order of P — O in the divisor class group T is a 
divisor of M. The precise order N of the class group can be obtained from the 
zeta functions for C d in [D96] , [DS98] . We will only need the following lemma. 

Lemma 5. Let F d denote the class group of the curve C d /k. 

\r+(k)\\r-(k)\ = (p pn + i)/(p n + i) 

In particular, N = |T(A;)| is an odd divisor of M = pP n + 1. 

We include the size of the class group for p = 7. Let [k : F 7 \ = n and 
m=(n+ l)/2. Then 
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|P+(fc)| = (1 + 7") 3 + (^)7 m (l + T + 7 2n ). 

|P"(fc)| = (1 + 7") 3 - (“)7 m (l + 7” + 7 2 "). 

And |r+(fc)||r-(fc)| = (1 + 7 7n )/(l + 7 n ). 

6 Main Theorem 

Miller’s algorithm for the Tate pairing on an elliptic curve E/k uses lines as 
building blocks to construct other rational functions. In our version of the Tate 
pairing implementation, we will not rely on lines but on the functions described 
in Lemma 4. So that we can generalize from elliptic curves E b /k : y 2 = x 3 —x+b, 
b — ±1, to hyperelliptic curves C d /k : y 2 = x p —x+d, d = ±1, for p = 3 (mod 4). 
Generalization of the results in Section 3 poses no problem. 

Theorem 4. Let N = |P(fc)|, so that N divides M = pP n + 1 = |7f*|/|F*|. 
Let P,0 £ C(k) be distinct points. Let fp be a k-rational function with ( fp ) = 
M(P - O ). For all Q £ C(K), Q^P,0, 

{[P - O], [ Q - 0]} m ]K * WM = fp(Q) in G K*. 

Proof. The argument that shows that the contribution by O can be omitted is 
the same as in Theorem 2. □ 

The difference with Theorem 2 is that fp is computed with a multiple M of N 
instead of with N itself. The multiple M has trivial expansion in base p and this 
leads to Algorithm 3 which has no logical decisions (only point multiplication 
by p and no adding). See also Remark in Section 6 of [GHS02]. But it has pn 
iterations compared to n iterations in Algorithm 2 (for the case p = 3). After 
Theorem 5, we will reduce this to n iterations in Algorithm 4. The following 
generalizations of Lemma 1 and Remark 1 are straightforward. 

Lemma 6. Let N = |P(fc)|. For a F-rational function f and for a F-rational 
divisor E such that (/) fl E = 0, 

f(E) = l e k*/k* n . 

Proof. We have f(E) £ F*. The group order N is an odd divisor of jF" + 1. 
Therefore, the group order N is coprime to p pn — 1. And F* = F* N C K* N . □ 

Remark 3. Let P £ E(F), Q £ F x K, and let Ip.o be the vertical line through 
P. Then Z P ,o(0(Q)) = 1 G K*/K* N . 

Definition 2. Let p £ F be a root of fp — p + 2d = 0. Let a,<r £ K be the roots 
of a 2 + 1 =0. Define the distortion map 

<!> : C(K) — >■ C(K), 0(z, y) = (p-x,ay). (3) 

Combine the distortion map with Theorem 4 to obtain a pairing 
C(k) x C(k) — > K* , (P, Q) ^ /p(<HQ))' f *I G K*. 


(4) 
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Algorithm 3 C/k : y 2 = x p — x + d. 

INPUT: P <E C{k),Q 6 C{K), a=p pn + l 
{[k:F p \=n, \K:k] = 2p,a=\K*\/\F*\.} 

OUTPUT: f a (Q) 6 K*/F* 

{{f a ) = a{P ) - {aP) - (a - 1)0, (h v ) = p(V) + {-pV ) -(pi 1)0.} 

V <r- P, a <r- 1, n <r- 1, d «- 1 
for i = 1 to pn do 
g «- h v {Q) 

a <— pa, V <— pV, f <— f p • g 

end for 

Indeed, ( av ) 2 = — v 2 = —u p + u — d= (p — u) p — (p — u) + d. 

Theorem 5 (Main Theorem). For P = (a,/3),Q = ( x,y ) g C(k), 

fpjm) = f[((&¥ n + l ^9 - (« W + ^ ( " +1 “ i) - P + d) (p+1)/2 ). 

Proof. From Algorithm 3, we see that 

Substitution of 

hp(Q) = f3 p y -{a p -x + d) (!5+1)/2 
p i_1 P = (a (2i_2) + (i - l)2d, (-I)'' 'd (2i 2) ) 

HQ) = (P~x, ay) 

yields 

- ( a(2i_1) + (* - l)2d - (p ~ x) + rf)(P+ D/2)( P n-i) 

= PJ((— 1 ) ! i) ;(/ (pn >•) 

- 11 + (i - l)2d - (p - (pn - *)2d - x^ n ~^) + d)( p+1 >/ 2 ). 

Or, since a, (3,x,y € k, and since (— l)* -1 ^" - *) = a, for both i odd and i even, 
flP^y^a - (a ( H3 - p + - d)Cp+l)/Sjp 

= f[(/3 (i) y (n+1 “ i) d - + x( n+1 ~V -pp- £}(*+*)/*). 


Finally, 


d = —p + d. 
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Note that fp{(j){Q)) = as it should. 


Algorithm 4 C/k : y 2 = x p — x + d. 

INPUT: P = (a,/3) € C(k), Q = (p-x, ay), (x, y ) £ C(k), a = p pn + 1 
{[k: F p ]=n,p p - p + 2d = 0, a 2 + 1 = 0.} 

{[F : F p ] = pn, [K : F n ] = 2 pn,a= \K*\/\F*\.} 

OUTPUT: f a (Q) € K*/F* 

{(f a ) = a(P)-(aP)-(a-l)0.} 

for i = 1 to n do 
a <— a 3 ,fl <— /3 s 

g <r- (pya -(a + x- p+ d) (p+1)/2 ) 

f^f-9 

end for 


Summarizing, using a Tate pairing {— , —}m instead of {— , —}n removes all 
logic and all additions from Algorithm 2. When using the version Algorithm 4 
the number of iterations is similar to Algorithm 2. Which gives the following 
advantages for Algorithm 4. 

1. Uniform algorithm that applies to all p = 3 (mod 4). 

2. Expressing N = \r(k) \ in base p can be omitted. 

3. Expressing \K*\/N in base p, for raising gp(Q ) to the power \K*\/N, can 
be omitted. It is replaced with raising to the power |F*|. 

4. At each iteration, only multiplication by p is required, no additions. 

5. Multiplication by p using the function hp is faster than using a product of 
lines (case p = 3). 

7 Concluding Remarks 

Theorem 3 for elliptic curves and its generalization Theorem 5 for hyperelliptic 
curves give closed formulae to evaluate the Tate pairing on curves of the form 
y 2 = x p — x + d. The complexity estimate after Lemma 3 indicates a speed- 
up by a factor two over algorithms described in [BKLS02] and [GHS02] when 
using Theorem 3 to evaluate the Tate pairing. Timing comparisons by Keith 
Harrison confirm this estimate. A running time comparison for the closed formula 
for hyperelliptic curves remains to be done. We thank Steven Galbraith, Paulo 
Barreto, Doug Kuhlman, Keith Harrison and anonymous referees for their helpful 
feedback on the preprint version. 
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Abstract. We describe an algorithm, AGM-Xo(A), for point counting 
on elliptic curves of small characteristic p using p-adic lifts of their in- 
variants associated to modular curves Xo(N). The algorithm generalizes 
the contruction of Satoh [10], SST [11], and Mestre [9]. We describe this 
method and give details of its implementation for characteristics 2, 3, 5, 

7, and 13. 

Keywords: Elliptic curve cryptography, modular curves, point counting 

1 Introduction 

Elliptic curve cryptosystems can be designed using the reduction of precom- 
puted CM curves or using randomly selected curves over a finite field. In the 
former case, the curve can be assumed to be drawn from a prespecified list of 
curves having many endomorphisms, on which an adversary can perform pre- 
computations or exploit the existence of endomorphisms of small degree. On the 
general randomly selected curve, the only endomorphisms of small degree are 
scalar multiplication by a small integer. Such curves are believed to have higher 
security, but to implement an elliptic curve cryptosystem using randomly gen- 
erated curves, it is imperative to have an efficient algorithm to determine the 
number of points on arbitrary elliptic curves. 

The first theoretically polynomial time algorithm for point counting was 
due to Schoof [13]. Atkin and Elkies (see [3]) introduced the use of modular 
parametrizations of the torsion subgroups of elliptic curves to turn Schoof’s 
algorithm into a practical one. Couveignes introduced an extension of this al- 
gorithm to curves over finite fields of small characteristic, and independently 
Lercier designed an efficient algorithm specific to characteristic 2. 

In 1999, Satoh [10] introduced a novel idea of p-adically lifting the j-invariants 
of the cycle of curves which are related by the Frobenius isogeny (x,y) i-» 
(. x p ,y p ) over a finite field F 9 = F p m of small characteristic p. The ^’-invariants 
= jo can be lifted efficiently to a degree m extension of the p-adic 
field Q p even though to lift the j-invariants to an extension of Q would in gen- 
eral require an extension of degree 0{^/q). The classical modular polynomial 
4> P (X,Y) provides the algebraic lifting condition. The unique p-adic lifts ji are 
those for which the equations ji+i) = 0 continue to hold. This was followed 
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by the exposition of extensions to characteristic 2 in [4] and [11]. Subsequently, 
in 2001, Mestre [9] introduced the use of the arithmetic-geometric mean, or 
AGM, to obtain elementary convergent recursion relations for the invariants of 
the p-adic lift of an elliptic curve. 

In this work, we introduce a family of algorithms AGM- Ao ( N ] given by 
convergent p-adic recursions for determining the p-adic lifts of Heegner points 
on modular curves Xo(N). Heegner points are special points on modular curves 
which correspond to exceptional elliptic curves with CM, and are invariants 
from which we can “read off” the data for the trace of Frobenius, determining 
its number of points over F 9 . Specifically, we describe how the univariate version 
of Mestre’s method as described in Gaudry [5] and Satoh [12] relates to the 
AGM-A 0 (8), and present essentially new generalizations AGM-A 0 (2), AGM- 
A 0 (4), and AGM-Aq( 16) which apply to point counting on elliptic curves in 
characteristic 2. In general this method is applicable to point counting on elliptic 
curves of any small characteristic p, with complete details described here for 
characteristics 2, 3, 5, 7, and 13. 

The present work creates a general framework for point counting on elliptic 
curves over fields of small characteristic. While the AGM point counting method 
for even characteristic fields had outpaced comparable algorithms for curves 
over fields of other small characteristics, as well as the SEA for prime fields, the 
present AGM-Ao(A) variants of the algorithm place all small characteristic base 
fields on an equal footing. Exploitation of the AGM for cryptographic construc- 
tions or any potential cryptanalytic attacks should therefore extend naturally 
to any small characteristic base field. The main elliptic curve standards admit 
only extensions of the binary field or large prime fields, but the omission of odd 
characteristic extension fields is not based on security considerations. Crypto- 
graphic standards for odd characteristic extension fields have been proposed [6], 
in part to permit efficient software implementations of curves over medium-sized 
characteristic [1]. A generic framework for odd characteristic extension fields 
also applies to fields of small characteristic, and makes it imperative to advance 
the theory of applicable algorithms and cryptographic characteristics of elliptic 
curves over arbitrary finite fields. 


2 Modular Curves and Parametrizations 


A modular curve Xo(N) parametrizes elliptic curves together with some cyclic 
iV-torsion subgroup. The simplest case is the modular curve Xq(1) which clas- 
sifies elliptic curves up to isomorphism via their j-invariants. Associated to any 
j other than 0 or 12 3 , we can write down a curve 


E :y 2 +xy = x 3 


_ 36 _ 1 

“ j-Y# X ~ j-12 3 


with associated invariant j. The curve Ao(l) is identified with the line of j- 
values, each point corresponding to the class of curves with invariant j. The 
next simplest case is the curve Xo(2), which is described by a function ,Si, and 
which classifies an elliptic curve together with a 2-torsion subgroup. 
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E\ : y 2 + xy = x 3 — 128six 2 


36si 512s 2 — si 

64si + \ X 64si + 1 


The /-invariant of this curve is j = (256si + l) 3 /si and the 2-torsion subgroup is 
specified by P = (— 1/4, 1/8). The quotient of the curve E\ by this group gives 
a new curve 


Fi 


: y 1 + xy = x 3 — 128si# 2 — 


327680s 2 + 3136si + 5 
16(64si + 1) * 

(512si + 1) (262144s? + 1984si + 3) 
64(64si + 1) 


with /-invariant (16si + l) 3 /s?. If we try to put the curve F\ into the form 


E 2 : y 


64 s 2 + 1 64 s 2 + 1 

for some S 2 , then we necessarily have an equality of their /-invariants 


j(Fii = (16«1 + 1 f/s\ = (256 s 2 + 1) 3 /s 2 = j(E 2 ), 


which gives rise to an relation s 2 — 4096S1S? — 48 siS2 — S 2 = 0 between the 
s-invariants on E\ and E 2 , where we discard the trivial factor 4096siS2 — 1, 
determining the parametrized dual isogeny 


Ei 5 > Ei /(((). 0)) = F 1 

=T - 

f 2 = e 2 /<( o, 0)) :4 — i e 2 . 


For the former equation, the resulting composition (j)\ : E\ — > F\ = E 2 , which 
may only exist over a quadratic extension of the field generated by si and s 2 , 
can be shown to induce the pullback 2 = 7r(si, S2)uq where 

, / (256s 1 + 1)(512s 2 (64s 2 + 1)-8s 1 + 1) \ 1/2 

^ 1,-S 2 J V( 2 56s2 + 1)(-256s 2 (256s2 + 1) + 16s 1 + 1)/ ’ 

and where and uj 2 are the invariant differentials dx/2y on the respective curves 
Ei and E 2 . Since the reduction of the relation between the s-invariants of the 
curves Ei and E 2 gives s 2 = s? mod 2, and the kernel is defined by to be those 
points ( x , y) for which 4a; — 1 = 0, we conclude that <j > i defines a parametrized 
lift of the Frobenius isogeny. 

The isogeny (j>i can be extended similarly by an isogeny 0 2 , 

Ei — > Fi = E 2 — > F 2 = E 3 — > • • • 

and the corresponding cycle of invariants Si, s 2 , - - * , s TO , linked by a chain of 
isogeny relations, the product of the 7r, = 7r(s,,s, + i) determines the action of 
Frobenius on the space of differentials of Ei and we can read off its trace, which 
determines the number of points on the curve. This is the basis of the algorithm 
of Satoh [10] using the /-invariant and the algorithm of Mestre [9] using mod- 
ular parametrizations of elliptic curves by the curve Xo(8). The above example 
provides the equations necessary to use the curve Xq(2) in an analogous manner. 
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2.1 Modular Correspondences 

The equation $(si, S 2 ) = •${ — 4096s 1 s| — 48si S 2 — S 2 = 0, derived in the previous 
section, is an example of a modular correspondence. The function s on Xo(2) 
generates the function field, and the relation between sf and S 2 determines the 
image of the modular curve Aq( 4) in the product Xo(2) x Xo(2). 

At a high level we extend this construction as follows. A point on a modular 
curve X 0 (N) corresponds to the isomorphism class of a point ( E,G ), where E 
is an elliptic curve and G is a subgroup isomorphic to Z/iVZ. For any such 
pair ( E,G ) we may associate the quotient curve F = E/G together with the 
quotient isogeny <j> : E — > F. Conversely, to any isogeny <j> : E — > F with cyclic 
kernel of order N, we can associate the pair (E,ker(<fi)). We say that a map 
of curves Xq ( pN) — > Xq (N) x Xo(N) is an oriented modular correspondence if 
the image of each point representing a pair (E, G) maps to ((Ei, Gi), (E 2 , G 2 )) 
where E\ = E and G 1 is the unique subgroup of index p in G, and where 
E 2 = E/H and G 2 = G/H, where H is the unique subgroup of order p. Since 
the composition 

(j > : E = E x -► E 2 -► E2/G2 = E/G, 

recovers the pair (E, G), one considers the point (E 2 , G2) as an extension of the 
degree N isogeny <tj>i ■ E\ — > E\/G\ determined by {E- V ,G\) to the isogeny of 
degree pN determined by ( E,G ). When the curve X 0 (N) has genus zero, there 
exists a single function x which generates its function field, and the correspon- 
dence can be expressed as a binary equation d>(x,y) = 0 in Xo(N) x Xo(N) 
cutting out Xo(pN) inside of the product. 

At a more basic level, the construction is determined as follows. Let x = x(q) 
be a suitable modular function generating the function field of a genus zero curve 
X 0 (N), represented as a power series. Then y = x(q p ) is a modular function on 
X 0 (pN), and an algebraic relation ^(x, y) = 0 determines an oriented modular 
correspondence as above. The application of modular correspondences to the 
lifting problem for elliptic curves is based on the following theorem. 

Theorem 1. Let p be a prime dividing N and let F(x,y) = 0 be the equation 
defining an oriented modular correspondence Xo(pN) — > Xo(N) x Xo(N) on 
a modular curve Xo (N) of genus zero such that d>(x,y) = y p — x modp. Let 
xi,X 2 ,---, x m , x m+ \ = x\ be a sequence of m > 2 distinct algebraic integers in 
some unramified extension of Q p such that <L(xi,Xi + i) = 0. Then the Xi form a 
Galois conjugacy class of invariants of CM curves. 

The above theorem describes the relation between cycles of points on modu- 
lar curves and CM curves. A sequence of points satisfying the conditions of the 
theorem are examples of Heegner points on Xo(N). After an initial precompu- 
tation to determine the equations as presented in this article, it is sufficient to 
dispense with the elliptic curves and compute only with their modular invari- 
ants. The defining functions and relations for the family determine the particular 
algorithm AGM-Xo(N) to be used for p-adic lifting. Each is denoted accord- 
ing to the modular curve Xq(N) on which we lift points. In each instance we 
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have an initial condition of the form aq = 1 / j mod p and a recursion for com- 
puting the function x i+ i in terms of aq, which arises from the correspondence 
X 0 (2N) — + X 0 (N) x X 0 (N) given by the equations #(aq, aq+ 1 ) = 0 as below. 

X 0 (2) : s? - 16(256s 2 + 3)sis 2 - s 2 = 0, W 0 (8) : u\ (4u 2 + l) 2 - u 2 = 0, 

X 0 (4) : t\ - 16(16*^2 +h+ t 2 )t 2 - t 2 = 0 , X 0 (16) : v 2 ( 4n| + 1) - v 2 = 0. 

The relations between the above functions are given by the identities 

ji = (256si + l) 3 /si, h = ui/(-4wf + 1), 
si = fi(16ti + 1), u\ = iq/(l + 4nf). 

Each function can be expressed in terms of the classical modular functions from 
which their relations were derived. 

Families of p-adic liftings exist for odd characteristic, and in particular, when 
the genus of Xq{N) is zero 1 we obtain a simple relation for the correspondence 
X 0 (pN) — > X 0 (N) x X 0 (N). For instance, if p = 3 and iV is 3 or 9 we give the 
correspondences defining algorithms AGM-X 0 (3) and AGM-X 0 (9) below. 

Ao(3) : sf — 9 (59049siS2 + 2916sis 2 + 81s 2 + 30si + 4)sis 2 — s 2 = 0 
Aq(9) : f 3 — 9 ((27t 2 + 9fi + l)(3t 2 + l)t 2 + (3/ 1 + 1 )/• i ) / 2 — t 2 = 0 

The relations between these functions and the j-invariant is given by the equa- 
tions: 

ji = (27si + 1)(243si + 1) 3 /si, 

Si = (27t 2 + 9ti + l)ti. 


2.2 Power Series Developments 

Each of the selected functions are p-adically convergent away from the super- 
singular point j\ = 0 mod p when p = 2 or 3. The equations of the form 
$(xi,Xi- |_i) = 0 allow us to find a general solution for x^+i as a power series 
in Xi. We note that for all functions given above, j-f 1 is an initial approximation 
to the p-adic: value of aq. 

Ao(2): 

s i+1 = si - 48s? + 2304s? - 114688s? + 5898240s? + • • • 

= s 2 (l - 48sj)(l + 2304s 2 ) (1 - 4096s?)(l + 5701632s?) • • • 

*o(4) : 

t i+1 = t'1 - 16 1? + 240t? - 3584t? + 53760t? - 811008f J + • • • 

= f 2 ( 1 - 16 (t, - 15t?))(l - 3584(t? + tf))( 1 + 13029376s?) (1 - 8192s?) • • • 


The genus of Xo(N) is zero if and only if N is one of the values 1, 2, 3, 4, 5, 6, 
7, 8, 9, 10, 12, 13, 16, 18, or 25. In this case, there exists a single function which 
parametrizes Xo(N). In the general case we would need multiple functions and the 
polynomial relations they satisfy. Here we will only be interested in the subset of 
these N which are powers of the characteristic p. 
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Table 1. HeegnerPointAnalyticLift. 


Input: The modular polynomial 4>(x,y); the precomputed product decomposi- 
tion for the analytic power series 

y(x) = x p fi(x)f 2 (x) ■ ■ ■ such that $(x, y(x)) = 0 

and fi(x) = 1 modp 1 ; a finite field element xo such that &(xo,Xq) = 0; and a 
target precision w. 

Output: An unramified p-adic lift x\ of a Galois conjugate of xo such that 
(xi,xi) is a zero of <I> to precision p w . 

Set *1 to be any p-adic lift of xo- 
for (1 < k < w — 1) { 

XI = x\ nti fi(xi) mod p k+1 

} 

return xi 


*o(8) : 

u i+ 1 = u? + 8 uf + 80 uf + 896wf + 10752 uf + 135168uP + • • • 

= u? (1 + 8u?)(l + 80uJ)(l + 256«?)(1 + 8704uf) • • • 

^o(16) : 

v i+1 = v\ + Avf + 32vj° + 320^ 14 + 3584u 48 + 43008 lf + . . . 

= if(l + 4;?'?) (1 + 32uf)(l + 192t;P)(l + 2816vf )(1 + 25600uf) • • • 

Similarly the first few classes of algorithms on X 0 (3 n j give rise to the following 
p-adic analytic recursions. 

Xq(3) : 

s i+1 = - 36s 4 + 1026sf - 27216sf + 702027sJ - 17898408sf + • • • 

= sf (1 - 36sj)(l + 1026sf)(l + 9720s 8 )- 
= s?(l - 36sj)(l + 1026s?) (1 + 9720s 8 )- 

(1 + 1051947s 4 ) (1 + 9998964sf + 93927276sf) • • • 

*o(9) : 

t i+1 = - 9 1 4 + 54ff - 252 1\ + 891tJ - 1701tf - 6426ff + • • • 

= if (1 — 9 U - 252f?)(l + 54f? + 649674ff)(l + 5265t|)- 

(1 + 486t? + 33048tf + 2925234tJ + 98492517tf) • • • 

The above power series give explicit convergent series for the action of the Frobe- 
nius automorphism on ordinary CM points on the modular curves Xo (p n ) for 
those particular values of p and n. The power product representations have the 
property that all but finitely many terms equal one to any fixed precision p l . 
Note that the iteration Xi i— > x l+ i is of the form Xi + 1 = x?f(xi) for some power 
series f(xi) in Xi, and that the p-th powering gains relative precision. Thus in 
the initial phase we iterate the initial terms of the power product representation 
mod p l to lift an approximation to the CM point as described in Table 1. 
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Table 2. Modular Action of Verschiebung. 
m-th power of Verschiebung Norm-equivalent expression m 

Vo (2) : 

(256s 2 + l)(-256s 2 (256s2 + 1) + 16si + 1) (-256s 2 (256s 2 + 1) + 16si + 1) 
(256si + l)(512s 2 (64s 2 + 1) - 8si + 1) (512a 2 (64.s 2 + 1) - 8s, + 1) 


Vo (8) : 
Vo(16) : 
Vo (3) : 
Vo (9) : 


32 1 2 + 1 

8ti + 1 

(—4m + 1)(4 m 2 + 1) 

(-4v? + l)(4t| + 1) 
Av\ - 1 


32ti + 1 

8ti + 1 

1 + 4«i 


1 + 4 vl 


(3si + 1)(- 19683s? - 486si + 1) 
(243si + 1)(— 27sf + 18si + 1) 


(3ti + l)(27t? + 1)(— 243(81(27fi + 9ti + 1 ) 2 t\ + 2(27 1\ + 9ti:+ l)ti + 1) 0 

(-27ff + l)(243(27tf + 9ti + l)ti + l)(729ff + 486ff + 162tf + 18ti + 1) 


2.3 Action of Verschiebung 

In order to apply the Heegner point constructions to the determination of the 
trace of Frobenius, we need to pullback of Frobenius between the differentials of 
parametrized curves specified by a modular correspondence. In Table 2 below we 
give the value of this scalar action of Verschiebung, the dual to Frobenius, in the 
left hand column. Using the identity N(#i) = N^) for any Galois conjugates 
X\ and X 2 , we are able to simplify the expressions by eliminating terms whose 
norm reduces to 1. In the final column we indicate with a 1 or 2 whether the 
expression is for the Verschiebung itself, or its square. In the latter case, we must 
extract a square root in the course of computing the norm. 

3 Algorithm and Performance 

In order to construct the initial lifting of a finite field element to a p-adic: element 
with precision w, we make use of the power series for Xj+i in terms of x t as 
described in Table 1. Since the power series is approximated mod p by the 
congruence aq+i = x 1 ’ mod p, each application of this p-adic analytic function 
gains one coefficient of precision. 

The analytic method, using a precomputed power product representation of 
the Hensel lifting of the power series appears to be more efficient than a naive 
linear Hensel lifting to compute the canonical lift to a precision of one 32-bit 
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Table 3. HeegnerPointBlockLift. 


Input: The modular polynomial ( P, integers m and w, and a p-adic element x 
such that (x,x a ) is a zero of $ to precision p w . 

Output: A lift of x such that (x,x a ) is a zero to precision p rnw . 

Dx = $x(x,x a ) modp 1 " 

Dy = $y{x, x a ) mod p w 
for (1 < * < m) { 

Rx = (p(x, x a ) div p lw ) mod p w 
for (1 < j < w) { 

Ax = ( R x mod p) 1 ^ p lifted to precision p w 
Rx = ( Rx + DxAx + DyAx)/p 
x += p iw+j Ax 

} 

} 

return x 


computer word. This is in part explained by the observation that a significant 
number of steps of the fi{x )' s are in fact equal to 1, and so can be omitted from 
the product. Finally, we note that this product expression structures the Hensel 
lifting to use only multiplications. 

The second phase of the lifting mirrors Algorithm 1 of SST [11], expressed 
here in terms of the Frobenius automorphism a rather than its inverse. The al- 
gorithm of SST refers to the classical modular polynomial <£ p (ji, j' 2 ) relating 
the j-invariants of two p-isogenous curves, but in fact applies in great gen- 
erality 2 to find p-adic solutions to a bivariate polynomial <P(x, y) for which 
(x p — y) | <P(x, y) mod p. 

Here we apply it to our modular correspondences <P(x,y) on the curves 
Xo(N). We define <Px (x. y) and y) be the derivatives with respect to 

the first and second variable, respectively, of the modular correspondence. The 
algorithm is given in Table 3. 

The final step is to make use of the precomputed form of the action Frobe- 
nius on the differentials for an elliptic curve parametrization by Xq{N). This 
action will be a rational function 7Ti = 7r(xi) in the value x\ of the lifted point. 
The Frobenius endomorphism is the product of the Galois conjugate Frobenius 
isogenies, so the norm N(7 Ti) of this value gives the action of the Frobenius en- 
domorphism on the differentials. Since the minimal polynomial X 2 — tX + q for 
this element it congruent to X(X — t) modulo q, we see that N(7 Ti) mod q = 0 
and (q div N(7 Ti)) = t mod q. In a now standard trick, the norm is computed 
using the identity N(7 Ti) = exp(Tr(log(7ri))), using the efficiency of trace com- 
putation [11]. 

An generic implementation [7] of the method in Magma [8] yields the fol- 
lowing timing data of Table 4 on an 1.4GHz AMD machine. The algorithm 


2 This observation was already used by Gaudry [5] in extending this algorithm to 
modified AGM modular equation. 
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Table 4. Timing Data for AGM-X 0 (A r ). 


p = 2: m 

iog 2 (g) 

X 0 (2) X 0 (4) X 0 (8) X 0 (16) 

163 

163.00 

0.48s 0.46 s 0.45s 0.55s 

193 

193.00 

0.61s 0.59s 0.60s 0.72s 

239 

239.00 

0.91s 0.88s 0.91s 1.08s 

P = 3: 


X 0 (3) X 0 (9) 

103 

163.25 

8.95s 10.8s 

121 

191.78 

19.7s 19.8s 

127 

201.29 

21.1s 21.2s 

151 

239.33 

43.5s 46.6 s 

p = 5: 


X 0 (5) X 0 (25) 

71 

164.86 

8.06s 8.75s 

83 

192.72 

12.6s 13.5s 

103 

239.16 

30.5s 30.9s 

p = 7: 


X 0 (7) 

59 

165.63 

5.13s 

69 

193.70 

10.9s 

71 

199.32 

11.3s 

83 

233.01 

19.8s 

85 

238.63 

21.6s 

p = 13: 


X 0 (13) 

43 

159.12 

4.18s 

53 

196.12 

8.66s 

61 

225.73 

14.3s 

65 

240.53 

19.1s 


makes use of the internal Magma implementation of an efficient Galois action 
on unramified cyclotomic extensions when p = 2, and otherwise falls back on 
Hensel lifting to determine Galois images when the residue characteristic is odd. 
The timings listed are independent of the one-time setup costs for initializing 
the p-adic lifing rings. Further specific optimizations for p = 2 make this case 
comparatively faster than for odd residue characteristic. 


4 Relations with Other Algorithms 

The chosen model curve for X 0 (8) is the equation uf(4u2 + l) 2 = '« 2 , which 
has the property that its reduction modulo 2 takes the form u\ = U 2 , so that 
U 2 is the Galois image of u\ . Over a field of characteristic zero, this equation 
becomes isomorphic to the equation arising in the “univariate” version of the 
AGM recursion 4 xy 2 = (x + l) 2 via the change of variables 3 


1 + 4«i 1 + 4u2 

= i i — and y = i — ; ; — • 
1 — 4«i 1 — 4 m 2 


Gaudry [5] makes a similar change of variables * = 1/(1 + 8 u) and -y = 1/(1 + 8t>), 
from which he obtains the relation (u + 2v + 8 uv) 2 + (4u + l)v, having the similar 
property of giving rise to an equation u 2 = v between Galois conjugates modulo 2. 
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Thus the use of 2-adic Heegner point lifts on X 0 (8) to determine the number 
of points on an elliptic curve over F 2 m could fall under a purported patent 
application on the AGM point counting method 4 . 

In contrast, the modular curves X 0 (l), X 0 (2), X 0 (4), Xo(8), or X 0 (16) are 
nonisomorphic as moduli spaces, and only the modular correspondence for X 0 (8) 
transforms by change of variables into the univariate AGM method. In fact if j 
is a root of the polynomial x 3 + x + 1 in F 2 , then the canonical lift of j on I 0 (l) 
is a root of the polynomial: 

x 3 + 3491750a; 2 - 5151296875a; + 12771880859375. 

The original method of Satoh, extended to characteristic 2 as in [4] or [11] finds 
some 2-adic approximation to a root of this polynomial. In contrast, in terms of 
the functions s, t, u, and v, the minimal polynomials over Q of a canonical lift 
are respectively: 

2 36 a; 6 + 2 25 83a; 5 + 14351421440a; 4 + 412493295a; 3 + 3503765a; 2 + 166a; + 1, 
2 24 a; 6 + 2 17 59a; 5 + 1561856a; 4 + 143007a: 3 + 6101a; 2 + 118a; + 1, 

2 6 a; 6 + 2 4 17 x 5 + 572a; 4 + 203a; 3 + 13a; 2 + 2a; + 1, 

2 3 x 6 - 4a; 5 + 18a; 4 + 13a; 3 + 9a; 2 + 4x + 1. 

The above polynomials are examples of class invariants obtained by modular 
correspondences on Xo(l), Xo(2), Xo(4), Xo(8), and Xo(16), the latter examples 
naturally generalizing the construction of Couveignes and Henocq [2] for Xo(l). 
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5 Appendix of Equations of Higher Level 

In this appendix we give the equations for the modular correspondences and 
action of Verschiebung necessary to implement the AGM-Xo(iV) for N = 5, 25, 
7, and 13. The modular correspondences on Yo(5), Xo(25), Xo(7), and Xq( 13) 
with respect to a degree one function on the curve are as follows. 

*o(5) : 

af - 244140625sfs| - 58593750sfsf - 4921875sfs| - 162500sfs^ 

-1575s|s 2 - 1953125s?sf - 468750sfaf - 39375s?s| - 1300s?s 2 

— 15625sfs 3 — 3750sfs 2 — 315sfs 2 — 125sis 2 — 30 sis 2 — s 2 = 0 

X 0 (25) : 

tf — 625^2 — 625fft| — 375fff2 — 12bt\t\ — 25 t 4 t 2 — 625^2 — 625if ^ 

— 375f?fi - 125f?fi - 25f?f 2 - 375 t\t\ - 375 t\t\ - 225 t\t\ - 75 
—15 t\t2 — 125tit2 — 125tit2 — 75tit| — — 5tif 2 — 25t| — 25f 4 

—15 t 3 — 5t^ — t2 = 0 

The functions s on Yq( 5) and t on Yq( 25) are linked by the relation 
s = 25 1 5 + 25f 4 + 15f 3 + 5f 2 + 1. 


Xo(7) : 

4 - 13841287201s?4 - 7909306972sfsl - 1856265922sfsi - 224003696s?s| 
-14201915s|s| - 422576 s\sl - 4018sfs 2 - 282475249sfs| - 161414428sfs| 
— 37882978sfs| - 4571504sfs^ - 289835sfs^ - 8624sfs 2 - 5764801sfs| 
-3294172sfsf - 773122sfs^ - 93296sfs 2 - 5915sf«2 - 117649sfs| 

— 67228s 3 s 3 - 15778sfs2 - 1904sfs 2 - 2401 afs| - 1372sfs^ - 322 sfs 2 
— 49si«2 — 28sis 2 — s 2 = 0 
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*o(13) : 

A'] 3 - 23298085122481s} 2 s} 3 - 46596170244962s} 2 s} 2 - 44804009850925s} 2 *} 1 
— 27020264402404s} 2 s}° - 11283187332872s} 2 s| - 3409754413780s} 2 sf 
— 7583 78 3 7646 2 s J 2 .s .2 - 123855918940s} 2 sS} - 14548002326s} 2 sl 
— 1 174999540s} 2 s| - 59916584s} 2 s} - 1623076s} 2 s} - 15145s} 2 s 2 
-1792160394037s} 1 s} 2 - 3584320788074s} 1 *} 1 - 3446462296225s} 1 *} 0 
-2078481877108s} 1 *!} - 867937487144s} 1 *} - 262288801060s} 1 *} 
-58336813574s} 1 *} - 9527378380s j 1 .?! - 1119077102s} 1 *} 

-90384580s} 1 *} - 4608968s} 'si - 124852s} 1 s 2 - 137858491849s} 0 *} 1 
— 275716983698s}°s}° - 265112484325 s}°sl - 159883221316s}°s} 
-66764422088s}°s} - 20176061620s}°s} - 4487447198s}°s} 

— 732875260s}°s} - 86082854s}°s} - 6952660s}°sl - 354536s}°s 2 
-10604499373s o s}° - 21208998746s?s} - 20393268025s?sl 
-12298709332s?sl - 5135724776s?s} - 1552004740s?s} 

-345188246s?s| - 56375020s?s} - 6621758 sfsl - 534820s?s 2 
-815730721sfs} - 1631461442sfs} - 1568712925s?s} - 946054564s}s} 
-395055752s?s} - 119384980s?s| - 26552942sfs} - 4336540sfs! 

— 509366sfs 2 - 62748517s}s} - 125497034s}s} - 120670225s}s} 

-72773428 s}s} - 30388904s}s} - 9183460s}s} - 2042534s}sl 
— 333580s}s 2 — 4826809s 0 s} — 9653618s°s} — 9282325s°S2 — 5597956s}s} 
-2337608s}s} - 706420s}s} - 157118s?s 2 - 371293s?s} - 742586sfs} 

— 714025s}s} - 430612sfs} - 179816sfs} - 54340s}s 2 - 28561sfs} 

— 57122sfs} - 54925s}s} - 33124 sfs} - 13832sfs 2 - 2197s}s} 

— 4394s 3 s} — 4225sfs} — 2548s 3 s 2 — 169s}s 3 — 338sfs} 

— 325s 2 s 2 — 13sis! — 26sis 2 — s 2 = 0 

We note that a canonical lift only exists for the invariants of ordinary curves. 
The supersingular points, in contrast, fail to converge, and are in fact poles of 
each the chosen functions for the lifting process. In characteristics 2 and 3 the 
./-invariant 0 is supersingular, which explains why we take as starting point of 
our canonical lifting algorithm 1 /j = s\ = t\ ■ ■ ■ mod p. For p equal to 5 the 
j-invariant of a supersingular curve is also 0, and the starting point of lifting is 
therefore also l/j = .sq = ij mod 5. However for 7 and 13 the starting points 
of the lifing algorithms are l/(j + 1) = si mod 7 and l/(j — 5) = si mod 13, 
corresponding to the supersingular j -invariants 6 and 5, respectively. 

To complete the specification of the algorithms for X 0 (5), V 0 (7), and W 0 (13), 
it remains to give the action of Verschiebung on the differentials of a generic curve 
as in Table 2. In terms of a special value si which is the canonical lift of the 
invariants of an ordinary elliptic curve, we find the following form for square of 
the action of pullback by the Verschiebung on two parametrized curves. 


*o(5) : 


G 6 (si,l)ff 5 (5 3 »i,l) , fG 5 (X,Y) =5X 2 + 10XY+Y 2 , 

g 5 (5 2 Si , l)j? 5 (l, si) ’ 6 I H 5 (X, Y) = -X 2 - 4IY + V 2 . 


Xq(7) : 


F 7 ( Sl ,l)(-7 7 si + G 7 (7 2 Sl ,l) + l) 
F 7 (7 2 si,l)(-7sf + 7G 7 (l,s 1 ) + l) 


, where 



136 David R. Kohel 


F 7 (X, Y) = X 2 + 5 XY + Y 2 , 

G 7 (X, Y) = ( 2X 2 + 9 XY + 10 Y 2 )XY. 


*o(13) : 


<^13 ( 1 ? Si)His(13si, 1 ) 
013 ( 1351 , 1 )^ 13 ( 1 , 51 )’ 


where 


G 13 (X, Y)=X 4 + 7X 3 Y + 20 X 2 Y 2 + 19XF 3 + Y 4 , 

H 13 (X, Y)=X 6 + 10 X 5 Y + 4 6X 4 Y 2 + 108X 3 Y 3 + 122 X 2 Y 4 + 38XY 5 - Y 6 . 

The action of Frobenius with respect to t-[ on Xo(25) is determined by means 
of the expression for the function si = 25 1\ + 25 tf + 15tf + 5 1 2 + t\ on Xo(5) in 
terms of the function t\ on Xq(25). 
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Abstract. This paper proposes a family of key management schemes for 
broadcast encryption based on a novel underlying structure - Time Vary- 
ing Heterogeneous Logical Key Hierarchy (TVH-LKH). Note that the 
main characteristics of the previously reported key management schemes 
include the following: employment of a static underlying structure for 
key management, and addressing the subset covering problem over the 
entire underlying structure. Oppositely, the main underlying ideas for 
developing of the novel key management schemes based on TVH-LKH in- 
clude the following: (i) employment of a reconfigurable underlying struc- 
ture; and (ii) employment of a divide-and-conquer approach related to 
the underlying structure and an appropriate communications-storage- 
processing trade-off (for example, a small increase of the communication 
overload and large reduction of the storage and processing overload) 
for addressing the subset covering problem and optimization of the over- 
loads. The design is based on a set of “static” keys at a receiver (stateless 
receiver) which are used in all possible reconfiguration of the underly- 
ing structure for key management, and accordingly, in a general case, 
a key plays different roles depending on the employed underlying struc- 
ture. A particular family of the components for developing TVH-LKH, is 
also proposed and discussed. The proposed technique is compared with 
the recently reported schemes, and the advantages of the novel one are 
pointed out. 

Keywords: broadcast encryption, stateless receivers, key management, 
time varying schemes, heterogeneous structures, reconfigurability, tree 
graphs. 

1 Introduction 

Broadcasting encryption (BE) schemes define methods for encrypting content 
so that only privileged users are able to recover the content from the broadcast. 
Later on, this flagship BE application has been extended to another one - me- 
dia content protection (see [17] or [12], for example). This application has the 
same one-way nature as an encrypted broadcast: A recorder makes an encrypted 
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recording and, a player needs to play it back. This situation usually does not 
allow opportunity for the player and recorder to communicate. Accordingly, in 
this paper we are dealing with the stateless receivers - the devices in which the 
operations must be accomplished based only on the current transmission and its 
initial configuration because these receivers do not have a possibility to update 
their state from session to session. 

When cryptography is used for securing communications, a session- encrypt- 
ing key (SEK) is used to encrypt the data. Since the data are distributed to 
multiple receivers, in order to reduce the amount of encryption at the sender 
node and to minimize the required bandwidth, every intended receiver as well 
as the sender should share an identical SEK. In order to ensure that only the 
valid members of the group have access to the communications, SEK needs to be 
changed whenever the lifetime of it expires, or there is a change in membership of 
the group, or one or more members are compromised. SEK needs to be updated 
under membership change for the following reasons: (i) when a new member 
joins, to ensure that the new member has no access to the past communication 
of the group, and (ii) when a member departs or is deleted, to ensure that the 
departed or deleted member does not have access to future communications 

Ensuring that only the valid members of the selected group have SEK at 
any given time instance is the key management problem in BE. On the other 
hand, for the SEK updating, a system needs another set of keys called the key- 
encrypting keys (KEKs) that can be used to encrypt and transmit the updated 
SEK to the valid members of the group. Hence, the key management problem 
reduces to the problem of distributing the KEKs to the members such that at any 
given time instant all the valid members can be securely reached and updated 
with the new SEK. 

A number of sophisticated methods for BE key management have been re- 
ported in the literature employing the following approach: Provide in advance 
the receivers with a collection of the keys (KEKs) in such a manner that the 
communication overload is reduced. 

The first breakthrough in BE key management is reported in [8] where the 
schemes in which each receiver has a fixed set of reusable keys were proposed. 
However, the complexity of these schemes was strongly dependent on the size of 
the adversarial coalition. 

Later on, a number of different schemes as well as the system approaches, 
have been reported and analyzed - see [16], [20]-[21], [3], [1], [9], [17], [18], [19], 
[2] and [4], for example, and recently, certain results have been reported in [11], 
[13], [6], [5], [14] and [15], as well. 

According to [11], the most interesting variant of BE deals with stateless 
receivers and has the following requirements: 

— Each user is initially given a collection of symmetric encryption keys. 

— The keys can be used to access any number of broadcasts. 

— The keys can be used to define any subset of users as privileged. 

— The keys are not affected by the user’s “viewing history” . 

— The keys do not change when other users join or leave the system. 
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- Consecutive broadcasts can address unrelated privileged subsets. 

- Each privileged user can decrypt the broadcast by himself. 

- Even a coalition of all non-privileged users cannot decrypt the broadcast. 

This paper addresses the problem of developing improved BE key manage- 
ment schemes assuming the above given requirements. 

Contributions of the paper 

This paper proposes a family of key management schemes for broadcast encryp- 
tion based on the Time Varying Heterogeneous Logical Key Hierarchy (TVH- 
LKH). 

Note that the main characteristics of the previously reported key manage- 
ment schemes include the following ones: (i) employment of a static underlying 
structure for key management; (ii) addressing the subset covering problem con- 
sidering the underlying structure as a whole. 

Oppositely, the main underlying ideas for developing of the improved key man- 
agement schemes based on TVH-LKH include the following: 

- employment of a time varying (reconfigurable) heterogeneous underlying 
structure; 

- employment of a divide-and-conquer approach related to the underlying 
structure and an appropriate communications-storage-processing trade-off 
(for example: a small increase of the communication overload and large re- 
duction of the storage and processing overload) for addressing the subset 
covering problem and optimization of the overloads. 

Note that the proposed design is based on a set of “static” keys at a receiver 
(stateless receivers) which are used for all possible reconfiguration of the under- 
lying structure for key management. So, in a general case, a key plays different 
roles depending on the employed underlying structure. 

A family of the components called sectioned heterogeneous LKH (SH-LKH) 
and its special form consisting of the sectioned key trees (SKTs) are considered 
for developing the reconfigurable logical key hierarchy, and TVH-LKH with two 
particular family members called SKT-A and SKT-B is discussed. 

The approach employed for design of SH-LKH family could be formulated 
as follows: Before dealing with the set covering issues, perform an appropriate 
preprocessing over the underlying LKH in order to specify a more suitable un- 
derlying structure for the set covering. 

The main underlying ideas for developing a novel family of key management 
schemes are based on employment of appropriate clustering of the keys and 
users, and employment of the heterogeneous time varying and cluster oriented 
local key management. Accordingly, the design rationale for the novel family 
includes the following: (i) specification of the appropriate partitions/sections over 
the employed LKH; (ii) performing key management on the section-by-section 
basis; (iii) in a general case, employment different key management schemes in 
different sections or in different time instants; (iv) in certain cases, employment 
of modified local (section related) key management schemes which employ a 
relaxed specification of the privileged set. 
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Let N be the number of receivers and R the number of revocations. Assuming 
that the parameters of a particular TVH-LKH scheme with SKT-A and SKT-B 
are Hoa, Hob, Hib, Roa , Rob and Rib, such that 1 < Hoa < log 2 N, 2 < Hob + 
Hib < log 2 N, 1 < Rqa < R, and 1 < R.m < Rob < R, its main characteristics 
are as follows. Dimension of the storage@receiver overload: 0(max{ ((Hoa) 1 ' 5 — 
H 0 a + log 2 N'% ((Hob) 1 ' 5 + (H 1B ) 15 - H 0B - H 1B + log 2 N)}. Dimension of the 
communications overload: 0(min{ (R+ RoA((log 2 N) — Hqa) — RoAlog2RoA), 
(R + Rob + R\n{(log 2 N) — H lB - H 0B ) - RipAog^Ron)}- Maximum dimension 
of the processing@receiver overload: O(max{H 0A ,max{H 0B , H 1B }})- 

An illustrative comparison of the main characteristics of the proposed key 
management and the recently reported ones is given in Table 1, assuming a huge 
group with a heavy dynamics in order to demonstrate advantages of the proposal 
even in the considered scenario. Intentionally, the comparison is related to the 
most powerful recently reported schemes based on the binary tree approach to 
demonstrate advantages of the considered particular TVH-LKH which is also 
based on the binary tree approach. 


Table 1 . Illustrative numerical comparison of the main characteristics of the proposed 
TVH-LKH key management schemes and the Complete Sub- Tree (CST) [17], Subset 
Difference (SD) [17] and Layered Subset Difference (LSD) [11], assuming N = 2 27 
receivers and R = 2 1S revocations, and that the parameters of the considered TVH- 
LKH technique are Hoa = 10, Hob = 7, Hib = 7, Roa = 2 14 , Rob = 2 14 and 
Rib = 2 11 . 


technique 

storage@receiver 

processing@receiver 

communication 

CST [17] 

~ 27 

m 5 

~ 12 • 2 16 

SD [17] 

~ 729 

~ 27 

~ 2 16 

basic LSD [11] 

~ 140 

~ 27 

~ 2 16 

proposed TVH-LKH 

~ 49 

~ 7 

W 1.5- 2 15 


Table 1 illustrates how combining of the heterogeneous schemes in a time- varying 
manner appear as a powerful approach for developing improved key management 
schemes which yield a possibility for appropriate trade-offs between the main 
overloads of the system. 

Organization of the paper 

Section 2 yields the underlying ideas for developing of the improved key man- 
agement schemes, and a general framework for key management based on the 
reconfigurable logical key hierarchy (TVH-LKH) . Key management based on re- 
configurable logical key hierarchy which employes a collection of the sectioned 
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key trees is considered in Section 3 including a comparison of a particular TVH- 
LKH based technique and recently reported schemes targeting the same key 
management scenario. Finally, some concluding discussions are given in Sec- 
tion 4, and two proposition proofs are accommodated in Appendices A-B. 

2 Underlying Ideas and General Framework 
for a Novel Design 

This section points out the underlying ideas for the improved key management 
schemes proposed in this paper, and a general framework for development of 
these schemes. 

Note that the general static key management paradigm is based on the fol- 
lowing: 

(a) BE center specify a set of all keys it will use, and assigns its subset to each 
receiver in such a manner that based on the keys stored at the receivers, 
BE center can split the set of all receivers into two arbitrary (usually) non 
overlapping parts. 

(b) BE center adopts a method for covering an arbitrary subset of the receivers 
taking into account the keys assigned to the receivers. 

(c) The established system is used for the session key distribution. 

Unfortunately, in a general case, the above item (b) is a variation of the 
Set Cover problem (see [10] for example): It is known that no approximation 
algorithm exists for the Set Cover with a worst-case approximation ratio better 
than ln(N) [7] (assuming that N is the number of receivers). 

In order to deal with the covering problem in an efficient way and employing 
much smaller required set of keys and the reduced processing at a receiver in 
comparison with the reported schemes, this section proposes a novel approach 
based on the reconfigurable key management. The following main three issues 
are addressed: (i) underlying ideas for proposing reconfigurable logical key hier- 
archy; (ii) general framework for the reconfigurable key management; and (iii) a 
discussion on selection of the main components for the proposed framework. 


2.1 Underlying Ideas for the Key Management Schemes 
Based on Reconfigurable Logical Key Hierarchy 

Recall that the main characteristics of the reported key management schemes 
include the following: 

— employment of a static underlying structure for the key management; 

— addressing the subset covering problem considering the underlying structure 
as a whole. 

Oppositely, the main underlying ideas for developing the improved TVH-LKH 
based key management schemes include the following: 
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— employment of a reconfigurable underlying structure; 

— employment of a divide-and-conquer approach related to the underlying 
structure and an appropriate communications-storage-processing trade-off 
(for example, a small increase of the communication overload and large re- 
duction of the storage and processing needed by a receiver) for addressing 
the subset covering problem and optimization of the system overloads. 

Note that the design is based on a set of “static” keys at a receiver which are 
used for all possible reconfiguration of the underlying structure for key manage- 
ment. So, in a general case, a particular key plays different roles depending on 
the employed underlying structure. 

Recently, very efficient key management schemes Complete SubTree (CST) 
and Subset Difference (SD) have been proposed in [17] and Layered Subset Dif- 
ference (LSD) has been reported in [11]. These schemes have been developed by 
focusing on obtaining a solution for the underlying set covering problem using 
the tree based paradigm. The approach proposed in this paper, beside employ- 
ment of the reconfigurability concept, is also different in comparison with the 
previously reported ones in a way which could be formulated as follows: Before 
dealing with the set covering issues, perform an appropriate preprocessing over 
the underlying LKH in order to specify a more suitable underlying structure 
for the set covering. The employed preprocessing could also be considered as a 
particular divide-and-conquer method for key management. 

The main underlying ideas for developing a novel family of the key manage- 
ment schemes include the following ones. 

— employment of time varying logical key hierarchy; 

— specification of a set of different and appropriate partitions/sections of the 
logical key hierarchy (in a particular case based on appropriate clustering of 
the keys and users); 

— performing key management on the section-by-section basis (heterogeneous 
cluster oriented local key management); 

— in a general case, employment different key management schemes in different 
sections or the time instances; 

— optionally, in certain cases, employment of modified local (section related) 
key management schemes which provide a relaxed specification of the privi- 
leged set. 

The opportunity for employment of different key management schemes in 
different sections or the time instances opens a door for desired optimization 
of the key management overload characteristics. For example, recall that CST 
re-keying requires significantly smaller storage® receiver overload at the expense 
of increased communications overload in comparison with LSD based re-keying. 
Accordingly, employing the CST based technique in one subset of the tree sec- 
tions and LSD based one in another subset, for example, yields an opportunity 
for obtaining the desired overall characteristics. Also note the following two char- 
acteristics of SD and LSD schemes: (i) communications overload is linear with 
R ; (ii) storage@receiver overload is polynomial with logN. These characteristics 
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open a door for the trade-off based on divide-and-conquer approach. Addition- 
ally, note that, for example, a relaxed version of SD or LSD, which does not 
perform the strict revocations but the relaxed ones in a manner similar to that 
reported in [1], could be employed as the appropriate one in certain cases. 

Also note that, although the key management at the center’s side is time 
varying and based on the section-by-section processing, this has no impact at 
the receivers side, and after all, a receiver should employ, in an appropriate 
manner, just one of its KEKs to recover the new SEK. 


2.2 General Framework for the Key Management 

Based on Reconfigurable Logical Key Hierarchy 

The Center’s Framework 

Pre-processing 

Establishing the reconfigurable logical key hierarchy based key management re- 
quires the following main actions at the center side. 

— Specification of a collection of the underlying structures to be used for the 
covering of privileged (non-revoked) receivers. 

— Assigning a set of keys to each of the receivers in such a manner that the key 
management can be performed employing any of the underlying structures 
from the collection. 

Processing 

For delivering a new SEK the center performs the following: 

— According to the given list of revocations, the center select an appropriate 
underlying structure from the collection for key management. 

— The center jointly broadcast encrypted forms of the new SEK obtained by 
employing different KEKs and information of the KEKs employed, as well as 
the mode of their use, determined by currently selected underlying structure. 


The Receiver’s Framework 

The framework for the proposed TVH-LKH based key management at the re- 
ceiver’s side consists of the following components: 

— Each receiver is provided with a set of the keys and information on modes 
of their use. 

— If not revoked, during the key management communication, a receiver ob- 
tains the following information: 

• which of its KEKs should be employed for the new SEK recovering, and 

• in which mode the employed KEK should be used (depending on the 
currently employed underlying structure from the predefined set), 

and accordingly it is able to recover the new SEK. 



144 


Miodrag J. Mihaljevic 


2.3 On the Keys Employment 

and Selection of the Underlying Structures 

Note that the design is based on a set of “static” keys at a receiver which are used 
for all possible reconfiguration of the underlying structure for key management, 
and accordingly, in a general case, a key plays different roles depending on the 
employed underlying structure. 

A main component of the reconfigurable key management is a collection of 
the underlying structures, and regarding these structures note the following. 

— The underlying structures could be very different but all of them should fulfil 
the following condition: They should be able to work with the same single 
set of keys (KEKs) assuming that a key can be employed in different modes. 

— A large number of the reconfigurable schemes can be designed in an ad-hock 
manner. Selection of the underlying structures included in the collection de- 
pends on the functional requirements of the key management. An optimized 
design should particularly take into account the space and time distribution 
of the revocations. 

Accordingly, for given number of keys at a receiver, the reconfigurable logical 
key hierarchy (TVH-LKH) based key management yields an opportunity for 
minimizing the communications overload or the processing@receiver overload. 
On the other hand, note that TVH-LKH based schemes do not require additional 
storage@receiver overload in comparison with corresponding static LKH schemes 
which can be employed for the same revocation scenario. 

3 A Reconfigurable Key Management Based on 
a Collection of Sectioned Heterogeneous LKHs 

3.1 General Design Issues 

Recall that the first step for establishing a reconfigurable logical key hierarchy is 
selection of a collection of the appropriate underlying structures for key manage- 
ment. This section proposes a particular TVH-LKH based on a novel structure 
called sectioned heterogeneous LKH (SH-LKH) for developing the underlying 
collection for the reconfigurable key management. 

SH-LKH structure is displayed in Fig. 1. The triangles play roles of certain 
substructures: In a particular case they are the subtrees with the root at the 
triangle up and the leaves at the triangle bottom. These subtrees (embedded 
into triangles) could be very different including the following ones, (i) binary 
balanced tree, (ii) a tree consisting just of the root and a number of leaves, or 
(iii) other suitable trees. 

From the center point of view, the key management scheme consists, as in 
an usual case, of the following two main components: (i) underlying structure 
for the keys and receivers assigning; (ii) methods employed for distributing a 
session key (SEK) to the stateless receivers. After this conceptual similarity, the 
proposed scheme differs from the reported ones as follows: 
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Fig. 1. A general form of the sectioned heterogeneous logical key hierarchy (SH-LKH). 
The triangles play roles of certain substructures, and in a particular case they are the 
subtrees with the root at the triangle up and the leaves at the triangle bottom. 


— instead of a single underlying structure the center “possesses” a collection 
of different underlying structures 

— each element of the collection is an SH-LKH; 

— the distribution of SEK is based not on a single technique but on employment 
a number of different ones. 

Accordingly, TVH-LKH employing SH-LKH is based on the following. 

— The center selects an appropriate collection of SH-LKH to be used for key 
management. 

— A set of keys is assigned to each of the receivers in such a manner that it 
can support any of SH-LKH key management schemes from the collection. 

— In the case of SEK rekeying, the center broadcast SEK encrypted under 
different KEKs, and the related information on the employed keys and the 
mode of theirs use. 

— At the receiver’s side the processing is adjusted according to the obtained 
information on the employed keys. 

Note that a special case of SH-LKH is the sectioned key tree (SKT) intro- 
duced in [15]. 


3.2 Key Management Based on Sectioned Key Trees (SKTs) 

This section, following [15] , yields a background for developing and analyzing a 
particular TVH-LKH based on a collection of the underlying structures called 
sectioned key trees (SKTs). Note that SKTs are just a particular family of the 
binary tree structures which could be employed for design of certain TVH-LKH. 
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Fig. 2. An illustration of the sectioned key tree (SKT). As usually, the center is as- 
sociated to the tree root, a receiver is at a leaf, and the keys are related to the tree 
nodes. 


Family of SKTs 

An SKT is the sectioned key tree displayed in Fig. 2 and obtained by the following 
horizontal and vertical partitioning: 

— a number of the horizontal layers is specified; 

— each layer is partitioned into a number of sections and each section contains 
a sub-tree which root is identical to a leaf of the upper layer section. 

In a special case, the following can be enforced: each of the layers has the same 
height, and each layer’s section contains the same number of nodes. Accordingly, 
each section contains the same subtree. 

In a general case, the tree is partitioned into L horizontal layers with the 
heights Hg, l = 0,1, .., L — 1, respectively, assuming that l = 0 corresponds to 
the bottom layer and £ = L — 1 to the top one. Then, the top layer contains a 
sub-tree with 2 Hl ~ 1 leaves, and a layer l consists of 

n 2 n ‘ = 2^t7 +1 "• 

i - «+l 

sections, each containing a sub-tree with 2 He leaves. 

Accordingly, we assume the following basic scenario for the key management 
based on the above underlying structure: N receivers grouped into M clusters, 
R revocations in total, assuming R m revocations from a cluster with index m, 
m = 1,2,..., M, and the parameter M is an integer such that Ylm= l = ^ 
and N/M is an integer, M < N. 

Section-by-Section Key Management 

The proposed key management scheme assumes the section-by-section key man- 
agement, and in a general case, it yields the opportunity for employment different 
local key management schemes in different sections. 
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Assuming SKT with L layers, and that a layer £ contains sections, 
£ = 0, 1, ..., L — 1, we propose the following section-by-section key management: 

— layer 0 processing 

• For the subtree corresponding to section j, identify a set of the 
leaves (receivers) which should be revoked, j = 1,2, 

• Perform section-by-section processing: for the revocations over the sub- 
tree in section j employ a desired key management scheme for revocation 
of elements in 7 j = 1,2,..., M-°K 

— layer £ processing, £= 1, 2, ..., L — 1 

• For the subtree corresponding to section j, identify a set IZp* of the 
leaves which correspond to the sections in layer £ — 1 affected by the 
revocations, and accordingly which should be revoked, j = 1, 2, ..., M^. 

• Perform section-by-section processing: for the revocations over the sub- 
tree in section j employ a desired key management scheme for revocation 
of elements in T^p, j = 1, 2, ..., 


Center 

At the center side, the procedure for revocation of a number of receivers consists 
of the following main steps: 

(a) the center specifies a set of receivers which should be revoked; 

(b) employing the section-by-section processing, the center decides on KEKs 
(nodes of the tree) which should be used for the new SEK delivery (encryp- 
tion); 

(c) center broadcast the following message: (i) an implicit information on the 
employed KEKs; and (ii) the new SEK encrypted by each of the employed 
KEKs. 

Let E (- ) denotes the algorithm employed for encryption of the new SEK 
(newSEK), I m defines the information on a KEK with index to, KEK m , em- 
ployed for encryption of the new SEK, to = 1,2,..., M, where M is total number 
of KEKs employed for covering the desired subset of receivers, and E ne wSEK(-) 
denotes the algorithm employed for the payload encryption. Accordingly, BE 
center broadcast the following: 

[[h,h, ■■■,Im,E K ek 1 {newSEK), E K EK 2 {newSEK ), ..., 

Ekekm {newSEK)], EnewSEK(Payload)\ 

= [[/i, I 2 , ..., Im, Ci, C 2 , •••, Cm], PayloadCiphertext] . 


Receivers 

At a receiver side the situation is equivalent as, for example, to the one when 
CST, SD, or LSD based approaches are employed. A receiver should store a num- 
ber of cryptographic keys, monitor the communication channel to see whether 
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its current SEK should be exchanged, and if “yes” extract the new SEK based 
on certain processing employing a memorized key. Actually, a receiver can not 
be aware of the employed underlying structure at the center’s side. 

At a receiver’s side the re- keying is performed as follows. Each receiver mon- 
itors the communications channel looking for the re-keying message broadcasted 
by the center. In this message, a non-revoked receiver will find an information 
on a KEK it posses which should be used for the new SEK recovering. Based 
on this information and the encrypted form of the new SEK, the non-revoked 
receiver will recover the new SEK. 

Accordingly, upon receiving a broadcast message, the receiver performs the 
following operations: 

— Finding I m which is related to the receiver: If the receiver is revoked, no 
such information will be found; 

— Employing I m and the keys stored at the receiver, perform a processing in 
order to recover KEK m employed for new SEK encryption. 

— Recovering the new SEK performing the decryption E^ ek ( C m ). 

Finally, after recovering the new SEK, the payload is obtained by 
^newSEK {Po-yloadCiphertext) . 

Two Particular Key Management Schemes: SKT-A and SKT-B 

As the illustrative examples, this section specify two particular key management 
schemes called SKT-A and SKT-B where SKT stands for Sectioned Key Tree. 
SKT-A. SKT-A is a particular key management scheme based on the following 
partitioning of the key tree and the local re-keying: 

• There are two horizontal layers and height of the bottom one is equal to Hqa, 
and accordingly the upper layer has height equal to log 2 N — H 0A : 

• Basic LSD [11] revocation method is employed in each section of the bottom 
layer and CST [17] revocation method is employed in the upper layer-section. 

SKT-B. SKT-B is a particular key management scheme based on the following 
partitioning of the key tree and the local re-keying: 

• There are three horizontal layers and heights of the bottom and middle ones 
are equal to H 0B and H x B , respectively; accordingly the top layer has height 
equal to log 2 N — H 0B — H XB : 

• Basic LSD [11] revocation method is employed in each section of the two lower 
layers and CST [17] revocation method is employed in the upper layer-section. 

Analysis of SKT Based Key Management Schemes 

This section is focused on the following issues of the considered key management 
schemes: (i) communications - dimension of the messages overload to be sent for 
the re-keying; (ii) storage@rec:eiver - dimension of keys which should be stored 
at a receiver; (iii) processing@receiver - processing overload due to the keys 
updating at receiver. 
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Main Characteristics of SKT-A. Taking into account the results reported 
in [17] and [11], it can be shown that SKT-A key management has the following 
main characteristics. 

Proposition 1. SKT-A key management requires the following overload for R 
revocations in total which affect Rqa different sections, assuming R/Roa revo- 
cations per section: 

— dimension of the storageCireceiver overload: 0((Hqa) L5 — Hqa + log 2 N)\ 

— dimension of the communications overload: 0(R + RoAiilog^N) — Hqa) — 

RoAlog 2 RoA)', 

— dimension of the processing@receiver overload: O(H 0A )- 
The proposition proof is given in Appendix A. 


Main Characteristics of SKT-B. Taking into account the results reported 
in [17] and [11], it can be shown that SKT-B key management has the following 
main characteristics. 

Proposition 2. SKT-B key management requires the following overload for R 
revocations in total which affect Rob and Rib different sections in the lower two 
layers, the bottom (0-th) and the middle (1-st) ones, respectively: 

— dimension of the storage@receiver overload: 0{{Hob) 15 + (Tib) 1 ' 5 — -Hob — 
Hib + log 2 N); 

— dimension of the communications overload: 0(R + Rob + RiB((log 2 N) — 
Hib ~ H 0 b) - RiBlog 2 RiB)', 

— dimension of the processing@receiver overload: O(max{H 0 B, Hib})- 
Proposition 2 proof is given in Appendix B. 


3.3 Illustrative Example of TVH-LKH Employing SKTs 

As an illustration of the proposed TVH-LKH based on a collection of SKTs, we 
consider the following toy example: 

• TVH-LKH underlying collection consists of only SKT-A and SKT-B, and there 
are R revocations in total. 

• In SKT-A case, R revocation affect Roa clusters of receivers (sections). 

• In SKT-B case, R revocation affect Rob sections in the bottom layer and Rib 
sections in the middle layer. 

Proposition 3. The above specified TVH-LKH key management over a group 
of N receivers requires the following overload for R revocations in total which 
affect Roa or R 0 b and Rib different sections in the lower layers, of SKT-A and 
SKT-B, respectively: 
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Table 2. Comparison of the storage@receiver and processing@receiver overloads of the 
proposed TVH-LKH key management scheme and the Complete Sub- Tree (CST)[17], 
Subset Difference (SD) [17] and Layered Subset Difference (LSD) [11], assuming N 
receivers, R revocations, and the parameters of the considered TVH-LKH technique 
are Hoa, Hob, H\b, Roa, Rob and Rib, such that 1 < Hoa < log 2 N, 2 < Hob+Hib < 
log 2 N, 1 < Roa < R, and 1 < Rib < Rob R- 


technique 

storage@receiver 

processing@receiver 

CST [17] 

0(log 2 N) 

0(log2log 2 N) 

SD [17] 

0((log 2 N) 2 ) 

0(log 2 N) 

basic 
LSD [11] 

0((log 2 N ) 16 

0(log 2 N) 

proposed 

0(max{ ((Hoa) 1 ' 5 - Hoa + log 2 N), 

O(Hoa) 

TVH-LKH 

((Hob) 15 + (- H 1B ) 1 ' 6 - Hob - H 1B + fo<? 2 lV)} 

O(max{H 0 B,H 1B }) 


— dimension of the storage@receiver overload: 0(max{ ((Hoa) 1 ' 5 — H 0A + 
log 2 N), ((Hob) 1 ' 5 + (^ib) 1 ' 5 - H 0B - H 1B + log 2 N)}- 

— dimension of the communications overload: 0(min{ (R + RoA((log 2 N) — 
Hoa)~ R oAlog 2 RoA), (R+Ro B +Ri B ((log 2 N)—H 1B —H OB )—Ri B log 2 Ri B )}; 

— dimension of the processing@receiver overload: 0(Hqa ■ or max {Hon- 
H 1B }). 

Proof Remarks. The proposition statement is a direct consequence of Proposi- 
tions 1-2, and the selection strategy related to TVH-LKH which assumes em- 
ployment of a scheme from the available collection which yields minimization 
of the communications overload. Particularly note that storage@receiver over- 
load is determined by the maximum storage@receiver overload required by the 
schemes in the collection. 

Accordingly, based on the results on CST, SD and LSD reported in [17] and 
[11], respectively, a comparison of these schemes and the considered TVH-LKH 
is summarized in Tables 2 and 3. Note that intentionally, the comparison is 
related to the most powerful recently reported schemes based on the binary tree 
approach to demonstrate advantages of considered particular TVH-LKH which 
is also based on the binary tree approach. 

Table 2 yields a comparison of the storage and processing overloads, and 
Table 3 displays a comparison of the communications overloads. 

4 Discussion 

A novel and flexible paradigm for developing BE key management schemes is 
proposed. The proposal is based on the reconfigurability concept, and it yields 
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Table 3. Comparison of the communications overload of the proposed TVH-LKH key 
management scheme and the Complete Sub- Tree (CST)[17], Subset Difference (SD) 
[17] and Layered Subset Difference (LSD) [11], assuming N receivers, R revocations, 
and the parameters of the considered TVH-LKH technique are H 0 a, H ob , Rib- Roa, 
Rob and Rib, such that 1 < Hoa < log 2 N , 2 < Hob + Hib < log 2 N , 1 < Roa < R, 
and 1 < Rib < Rob < R- 


technique 

communication overload 

CST [17] 

0(Rlog 2 tO 

SD [If] 

O(R) 

LSD [11] 

O(R) 

proposed 

TVH-LKH 

0(min{ (R + RoA{log 2 N — Hoa) — RoAlog 2 RoA), 

(R + Rob + RiB((log 2 N) — Hib — Hob) — RiBlog 2 RiB)} 


the improved overall characteristics in comparison with the previously reported 
techniques. Tables 1-3 show that combining of the heterogeneous schemes in a 
time- varying manner appear as a powerful approach for developing improved key 
management schemes which yield a possibility for desired trade-offs between the 
main overloads related to the key management system. The design is based on a 
set of “static” keys at a receiver which are used for all possible reconfiguration 
of the underlying structure for key management, and accordingly, in a general 
case, a key plays different roles depending on the employed underlying structure. 

The Gain Origins. The main origin of the gain obtained by the proposed key 
management in comparison with the previously reported techniques is due to 
the employed concept of reconfigurability and a dedicated divide-and-conquer 
approach. Particularly, certain gain origins include the following: (i) partition of 
the underlying LKH structure into the sections which appears as a very power- 
ful technique for obtaining improved characteristics; (ii) performing overall key 
management based on a number of local (the section oriented) key managements; 
in a general case these key managements can be different and time varying. 

Some Further Work Directions. TVH-LKH yields a generic framework for devel- 
oping efficient key management, and besides the underlying structures discussed 
in this paper, it is an open problem to find novel constructions and particularly 
ones dedicated to certain applications. Also recall that (as in other schemes) 
there are three main overloads related to the proposed key management: stor- 
age@receiver, processing@receiver and communications overload. Taking into ac- 
count certain constraints on these parameters, the proposed schemes can be op- 
timized following the approaches reported in [3] and [19]. For example, for given 
constraints on storage@receiver and processing@receiver, the schemes can be op- 
timized regarding the communications overload, or for the given communications 
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budget, the schemes can be optimized regarding storage@receiver and process- 
ingCcireceiver. On the other hand, in certain cases (where this is appropriate), 
further reduction of the overloads can be obtained employing a relaxed specifi- 
cation of the targeting receivers subset in a manner similar to that reported in 
[1] where certain receivers which should be revoked will not be excluded during 
the re-keying, assuming that the rate of this free-riders is within desired limits. 
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Appendix A: Sketch of Proposition 1 Proof 

Recall that in SKT-A scheme there are 2 l ° 92N ~ HoA sections in the lower layer, 
and each of them is controlled via the basic LSD technique [11]; the upper layer 
consists of only one section where CST technique [17] is employed. 

Note that the re-keying of a receiver is performed via the lower layer section 
or the upper layer one. Accordingly, a receiver should store the keys related to 
LSD and CST based re-keying. A section oriented basic LSD technique requires 
(Hoa) 1 - 5 keys, and the upper section oriented CST requires log^N — H 0 a keys. 
So, dimension of storage@receiver overload is O^Hoa) 1 ' 5 — H 0 a + log^N). 

Regarding the processing@receiver overload note the following. A new SEK 
could be delivered to the receiver employing the LSD or CST related keys. If a 
LSD related key is employed, the new SEK recovering at the receiver requires 
the processing overload proportional to Hoa ■ If a CST related key is employed, 
the new SEK recovering requires processing 1 ® receiver overload proportional to 
l og2 Z or/2 2 ; 092 N ~ H ° A = log^log^N — Hoa) ■ So the maximum process ing@receiver 
overload is: O(max{H 0A , log-Alog^N - H 0A )}) = O(H 0A ). 

Finally, regarding the communications overload, suppose that there are r m 
revocations in the mth section, m = 1,2,..., 2 l ° 92N ~ HoA , noting that ° A 

r m = R, and l ° A (-*- — ,r m ) = Roa, where S a ,b is a function which takes 
value 1 if a = b, and 0 otherwise. LSD based revocation within a section m 
requires communication overload of dimension 0{r m ), assuming r rn > 0. So, 
revocation of all R receivers require a communications overload of dimension 
O(R). Also, Roa revocations should be performed over the upper section em- 
ploying CST, which requires additional communication overload of dimension 
O ( R(j 4 1 og-i (2 lo;nN ~ H ° A ] — R.QA^Ajg^R.Q a) ■ Accordingly, dimension of the commu- 
nications overload is given by 0(R+ RoAdlog^N) — H 0 a ) — R-OAlog-iRoA)- 

Appendix B: Sketch of Proposition 2 Proof 

Recall that in SKT-B scheme there are 2 l ° 92N ~ H ° B sections in the lower layer, 
and 2 lo92N ~ HoB ~ HlB in the middle layer: each of them is controlled via the basic 
LSD technique [11]; the upper layer consists of only one section where CST 
technique [17] is employed. 
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Note that the re-keying of a receiver is performed via a section within one of 
the tree layers, i.e., via a lower layer section or via a middle layer section or via 
the upper layer one. Accordingly, a receiver should store the keys related to LSD 
rekeying within the lower or middle layer, and CST related ones for the upper 
layer. Recall that the lower layer section oriented basic LSD technique requires 
{Hob) 1 - 5 keys, the middle layer section oriented basic LSD technique requires 
(Hib) 1 ' 5 keys, and the upper section oriented CST requires log -2 N — Hob — H\b 
keys. So, dimension of storageCireceiver overload is 0{{Hob) 15 + (Hib) 1 ' 5 — 
Hob ~ Hib + log^N). 

Regarding the processing@receiver overload note the following. A new SEK 
could be delivered to the receiver employing the LSD or CST related keys. If a 
LSD related key is employed, the new SEK recovering at the receiver requires 
the processing overload proportional to H 0 b or H iB depending weather a key 
from the lower or middle layer is employed. If a CST related key is employed, 
the new SEK recovering requires processing@receiver overload proportional to 
l og- 2 log-i^ 1092 N ~ H ° B ~ HlB = log- 2 {log- 2 N — H 0B — -His). So the maximum pro- 
cessing@receiver overload is: O ( max { Hq b , H t b , I og -2 (log -2 N — Hob — Hib)}) = 
0(max{HoB, Hib}). 

Finally, regarding the communications overload, suppose that there are r m re- 
vocations in the mth section, m= 1, 2, ..., 2 log2N ~ HoB , noting that 
r m = R, and J2m= l ° B (■*■ — ^o,r„J = Rob, where 8 a g, is a function which takes 
value 1 if a = b, and 0 otherwise. LSD based revocation within a section to 
requires communication overload of dimension 0(r m ), assuming r m > 0. So, re- 
vocation of all R receivers require a communications overload of dimension 0{R). 
Also, Rob revocations of the sections from the lower layer should be performed 
within the middle layer employing middle sections oriented basic LSD approach. 
Employing an equivalent consideration to the above one related to the lower 
layer, we obtain that revocation of all Rob sections in the middle layer require a 
communications overload of dimension 0{Rob)- Additionally, Rib revocations 
should be performed over the upper section employing CST, which requires ad- 
ditional communication overload of dimension 0(RibI og- 2 (2 l ° 92N ^ H,lB ^ HlB ) — 
RibIoq 2 Rib). Accordingly, dimension of the communications overload is given 
by 0(R + Rqb + RiB((log 2 N) - H 1B - H 0B ) - -Rish^-Ris)- 
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Abstract. Authenticated Key Establishment (AKE) protocols enable 
two entities, say a client (or a user) and a server, to share common ses- 
sion keys in an authentic way. In this paper, we review AKE protocols 
from a little bit different point of view, i.e. the relationship between infor- 
mation a client needs to possess (for authentication) and immunity to the 
respective leakage of stored secrets from a client side and a server side. 
Since the information leakage would be more conceivable than breaking 
down the underlying cryptosystems, it is desirable to enhance the im- 
munity to the leakage. First and foremost, we categorize AKE protocols 
according to how much resilience against the leakage can be provided. 
Then, we propose new AKE protocols that have immunity to the leak- 
age of stored secrets from a client and a server (or servers), respectively. 
And we extend our protocols to be possible for updating secret values 
registered in server(s) or password remembered by a client. 


1 Introduction 

1.1 Background 

Authenticated Key Establishment (abbreviated by ‘AKE’) protocols, which in- 
clude Authenticated Key Agreement (AKA) and Authenticated Key Transport 
(AKT), are designed for two entities, say a client and a server (in case of two- 
party protocols), to share common session keys in an authentic way over open 
networks where the session keys can be used for subsequent cryptographic algo- 
rithms (e.g., symmetric key cryptosystems and message authentication codes). 
Since AKE protocols are crucial cryptographic primitives, they have been widely 
used in various protocols, such as SSH (Secure SHell) [22], SSL/TLS (Secure 
Socket Layer/Transport Layer Security) [14,23], and in many applications such 
as internet banking, electronic commerce, secure content download, secure re- 
mote access and so on. In the literature, there exist many efficient and secure 
AKE protocols (typical examples can be found in [18,19]) in either the random 
oracle model or the standard model which consider an adversary that not only 
can eavesdrop the communication of the entities but also can actively modify, 

C.S. Laih (Ed.): ASIACRYPT 2003, LNCS 2894, pp. 155-172, 2003. 
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delete and insert messages sent between the entities of its own choice. For au- 
thentication, AKE protocols must require the involving entities to possess some 
information like stored secrets, passwords or public keys (or their fingerprints). 

While the security of cryptosystems and protocols including AKE has been 
usually discussed with the assumption that stored secrets will never be revealed, 
we assume here the stored secrets may be leaked out. This can happen maybe 
due to a bug or a mis-configuration of the system. Formally, 

Assumption 1 (Leakage) Stored secrets may leak out due to accidents such 
as bugs or mis- configurations of the system. The source of the leakage, i.e. the 
bugs or the mis- configurations, will be fixed as soon as possible. But some clients 
continue to use the same personal information, such as passwords. 

Of course, once the bug or the mis-configuration is found, it will be patched 
or fixed as soon as possible and then the system will be rebuilt (if necessary). 
This is a common practice in Internet [10,31]. Even though the patch or the 
system-rebuild may remove the risk of further leakage coming from the same 
bug or the mis-configuration, the leaked secrets may still be abusable to in- 
trude the newly rebuilt system or the other systems, e.g. when a client registers 
the same password to different servers (see Section 1.4). Thus, we think it is 
very important to take into account the impact of the leakage (and the bur- 
den on the client). The idea of considering leakage of stored secrets is not a 
new one. Already, proactive schemes [17,35], forward-secure schemes [1,2,5,11], 
key-insulated systems [13,24] and password-authenticated key exchange (PAKE) 
[3,4,6,8,15,16,19,26,27,28,29,30,32,33,36] assumed the similar situations. 


Problem Setting. Let us think of secrets stored in devices in the model of 
proactive schemes, forward-secure schemes and key-insulated systems where the 
secrets should be updated or refreshed regularly in a predetermined time period 
or at a time when a client (or a server) notices the leakage of stored secrets. 
Specifically, proactive schemes [17,35] improve threshold schemes by allowing 
multiple leakage of secrets, limiting only the number of simultaneous leakages. 
While forward-secure schemes [1,2,5,11] evolve secrets at the end of each time 
period, key-insulated systems [13,24] update secrets with update information 
coming from TRM (Tamper- Resistant Modules). All of them can minimize the 
impact of the leakage, but not completely prevent the damage. In addition, 
it takes some time from when stored secrets leaked out until the client (or the 
server) can realize the fact and then the secrets are updated by new ones. Within 
the term for realizing the fact or the time period for updating, an adversary who 
obtained the secrets can break its security in a limited time period. Bringing this 
problem into AKE protocols, which use only stored secrets, may end up with the 
same result as above. That’s the reason why authentication totally depends on 
stored secrets so that leakage of the secrets is directly connected to impersonating 
the victimized entity. For the countermeasure, there exist AKE protocols using 
a password, without TRM. However, most of PAKE protocols requiring only a 
password on client’s side can provide a solution against leakage of stored secrets 
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from a client, not a server. Thus, it is desirable to provide immunity to the 
leakage of stored secrets from a client and a server, respectively. More detailed 
discussion will be provided through this section. From now on, we focus on AKE 
protocols using password where the password naturally takes a major role for 
authentication. 

1.2 Classification of AKE Protocols Using Password 

In the literature, various AKE protocols have been proposed so far which could 
be divided by what is used to authenticate entities. Here, we classify them ac- 
cording to the types of information a client needs to possess. 

At first, let us start by categorizing the types of information to be possessed 
by a client as follows, (i) Human-Memorable Secret (HMS): A secret, which is 
remembered and typed in by a client, such as a password, (ii) Stored Secret 
(SS): Secrets stored in a client’s machine, in a memory card or somewhere that 
is not protected with perfect tamper-resistant modules. It may be merely secret 
values, a signing key of a digital signature scheme, a decryption key of a public 
key cryptosystem and/or a common key of a symmetric key cryptosystem, (iii) 
Public Information (PI): Public information, such as a verification key of a dig- 
ital signature scheme, an encryption key of a public key cryptosystem or their 
fingerprints. While anyone can get the public information, its validity must be 
verified at their own responsibility. 

Additionally, we assume the followings on the HMS and the SS. 
Assumption 2 (Short but Secure to On-line Attacks) The size of the 
human-memorable secret is short enough to memorize, but large enough to avoid 
on-line exhaustive search. This means the secret may be vulnerable to off-line 
exhaustive search. 

The on-line attack is a series of exhaustive search for a secret performed on-line 
where adversaries are willing to sieve out secret candidates one by one running an 
authentication protocol with the target entity (usually, server). In contrast, the 
off-line attack is performed off-line massively in parallel with recorded transcripts 
of a protocol. While on-line attacks are applicable to all of the protocols using 
password equally, they can be prevented by letting a server take appropriate 
intervals between invalid trials. But, we cannot avoid off-line attacks by such 
policies, mainly because the attacks are performed off-line and independently of 
the server. As a result, off-line attacks are critical to most of the protocols using 
human-memorable passwords. 

Assumption 3 (No Perfect TRM) TRM (Tamper- Resistant Modules) used 
to store the secrets are not perfectly free from bugs and mis- configurations. 

With the above types of information, we differentiate previous AKE proto- 
cols 1 . At first, we list up typical AKE protocols using HMS and explain how 
they work briefly. (We ignore protocols, which are vulnerable to off-line attacks 
as they are, such as CHAP [20], IPsec with pre-shared secret [21] and so on.) 

1 A more detailed description of previous AKE protocols will be given in [38]. 
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SSL/TLS and SSH. We show two AKE protocols of SSL/TLS and SSH. (For 
formal description of the following protocols, refer to SSL/TLS [14,23] and SSH 
[ 22 ].) 

1. Password-based User Authentication over a Secure Channel: In this scheme, 
a client establishes a secure connection to a server, and then sends the client’s 
password for authentication through the secure connection. The server ver- 
ifies the given password in the same way as the usual password verification 
procedure. Note that the server needs to store (a hashed value of) the pass- 
word. 

2. Public-Key based User Authentication with a Password-Protected Secret- 
Key: A server verifies a client’s secret key using a challenge-response protocol. 
In addition to that, the client stores the secret key in encrypted form with 
his password. 

Password- Authenticated Key Exchange (PAKE) Protocols. PAKE pro- 
tocols are designed for entities to share a fresh session key (to be secure against 
off-line attacks) by using only a pre-shared human-memorable password, which 
may be exhaustible with off-line attacks but not with on-line attacks. 

A brief sketch of PAKE protocols, which only rely on a password, is given 
as follows. Both a client and a server share the same password in advance. For 
authentication and key exchange, they run a PAKE protocol using the shared 
password (or a hashed value of it). If their inputs coincide with each other, 
they can obtain the same value that is used to generate a session key for secure 
channels. Otherwise, they get distinct values which are hard to guess each other. 
Thus, no adversary can intrude in the middle of them or impersonate one entity 
to the other. 

Up to now, a variety of studies on PAKE protocols [3], [4], [6], [8], [15], [16], 
[19], [26], [27], [28], [29], [30], [32] have appeared in the literature. In PAKE 
protocols, a client keeps in mind his password whereas the counterpart server 
should have its verification data that is used to verify the client’s knowledge of 
the password. That means leakage of stored secrets (that is, verification data) 
from the server makes possible off-line dictionary attacks for an adversary. 

Threshold-PAKE (T-PAKE) Protocols. In order to prevent the leakage 
of stored secrets from a server, [33,36] proposed T-PAKE protocols where a 
client’s password or verification data is not stored in a single server but rather 
shared among a set of servers using a secret sharing scheme. Since only a certain 
threshold of servers can reconstruct the client’s password or verification data 
in the authentication phase, the leakage of stored secrets from any number of 
servers smaller than the threshold doesn’t help an adversary to perform off-line 
attacks. 

1.3 Evaluation by Immunity to the Leakage 

As mentioned in Section 1.1, we consider the situation that stored secrets from 
a client and a server may leak out due to a bug or a mis-configuration of the 
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Table 1 . Attack and security levels. 


j Attack levels 

| Security levels 

| On-line attacks | 

Off-line attacks | 

| Strongly secure* 1 (O) 

j Secure ] 

Secure j 

| Weakly secure*^ (A) 

j Secure j 

Insecure | 


*1: An AKE protocol using password is said to be strongly secure (denoted by 
O), if the protocol can be tolerant against both on-line and off-line attacks. 
*2: An AKE protocol using password is said to be weakly secure (denoted by 
A), if the protocol can be tolerant against on-line but not off-line attacks. 


system. Before evaluating previous AKE protocols using password according to 
immunity to the leakage of stored secrets, we divide security levels into two cases 
with respect to whether an AKE protocol can maintain its security (with the 
client’s password unknown to an adversary) against on-line and off-line attacks 
and then summarize them in Table 1. 

With these security levels, we summarize comparative results in Table 2 about 
whether a client (or a server) can remain resistant against on-line and off-line 
attacks even after stored secrets from the client (or the server) are leaked out to 
an adversary, respectively. For simplicity, we evaluate immunity to the leakage 
of each class of AKE protocols presented in Section 1.2. 

As shown in the table, PAKE protocols just require that a client keep in mind 
his password while the counterpart server should have its verification data asso- 
ciated with the password. Consequently, if stored secrets in the server are leaked 
out, an adversary who gets them can retrieve the original password through 
off-line attacks, simply by verifying password candidates one by one using the 
verification data. As a countermeasure to the leakage from server, [33,36] pro- 
vided a solution in which n (n > 1) servers share verification data (or verification 
function) using a secret sharing scheme and the threshold of servers participate 
in the protocol to authenticate a client. That is, the leakage of stored secrets 
from any number of servers smaller than the threshold does not make off-line 
attacks possible. However, the client’s password can be retrieved if stored secrets 
from the threshold or more than the threshold of servers are leaked out. In a 
word, it is impossible for PAKE (T-PAKE) protocols using only HMS (and PI) 
to achieve strong security against the leakage from server(s). 

Fact 1 (Impossibility of Strong Security in PAKE and T-PAKE) PAKE 
(T-PAKE) protocols, requiring only HMS (and PI) as clients’ possessions, cannot 
achieve the strong security against the leakage from server(s). For any such a 
protocol, an adversary can perfectly simulate the protocol using the leaked secrets 
from server(s) so that he/she can try the password candidates off-line in parallel. 

SSL/TLS and SSH in the password-based user authentication mode make a 
server keep a hashed value of a client’s password. As a matter of course, leakage 
of stored secrets from the server results in revealing the password through off-line 
attacks. In the SSL/TLS and SSH of the public-key based user authentication 
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Table 2. Comparison of AKE protocols using password. 


Protocols 

Client’s possessions 

Immunity to leakage | 

HMS | SET | Pi 

from Client from Server | 

PAKE* 1 

V 



o 

A 

Our Proposals 

V 

V 


o 

o 

SSL/TLS* 3 , SSH* 3 , 
T-PAKE 

V 


V 

o 

A*' 1 

SSL/TLS* 3 , SSH* 3 

V 

V 

V 

A 

o 


*1: Most PARE protocols, being secure against server compromise”, which hold 
clients’ verification data 

*2: Key-establishment part of SSL/TLS and SSH in the password-based user au- 
thentication mode 6 

*3: Key-establishment part of SSL/TLS and SSH in the public-key based user au- 
thentication mode with a password-protected secret-key” 

*4: T-PAKE protocols [33,36] have the immunity up to its threshold of servers. 

“ Throughout this paper, we use the terminology of ‘leakage’ rather than ‘com- 
promise’. 

6 More specifically, password authentication after the server authentication in 
SSL/TLS or the password authentication in SSH. 

c More specifically, mutual authentication in SSL/TLS, RSA authentication in 
SSH protocol version 1 or public key authentication in SSH protocol version 2. 

mode with a password-protected secret-key, leakage from a client can prevent 
an adversary, who is willing to get the client’s password, from obtaining the 
password through only on-line attacks, but not off-line attacks. 

As a consequence, Table 2 indicates that the existing AKE protocols using 
password are vulnerable to the leakage from either client or server. That means 
any of the AKE protocols (except our protocols) doesn’t provide immunity to 
the leakage of stored secrets from client and server, respectively. Remind that 
AKE protocols, which use only stored secrets, can minimize the impact of the 
leakage by updating or refreshing the secrets, but not completely prevent the 
damage. 


1.4 A Realistic, but Critical, Problem of AKE Protocols 
Using Password 

Are all the existing AKE protocols using password really secure in the real world ? 
Instead of answering to the question, we take for an example a very compelling 
but critical situation in the real world. 

Let us think of an ordinary client who would connect with several disparate 
servers, each requiring a password, over networks for internet banking, internet 
shopping, internet auction, ftp servers, electronic voting and so on. As of now, 
all of the AKE protocols implicitly have the assumption that the client regis- 
ters information-theoretically independent passwords corresponding to different 
servers. Remember that password can be defined as human beings have some- 
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thing memorable usually in size of 6-8 characters (including numbers). Ironically, 
how many passwords can we remember? 10 or 20? Of course, it depends on the 
individual. Here, we have another assumption as follows: 

Assumption 4 (One Memorized Secret) A client remembers only one 
human-memorable secret, i.e. one password, even if he/ she communicates with 
several different servers. That means the client use the same password to a dis- 
tinct kind of servers, not sharing any secret information one another. 

Under the Assumption 4 in the multiple server scenario, we have to take into 
consideration the impact on other servers after the leakage of stored secrets from 
one server in the real world. 

Definition 1 (Impact after the Leakage from One Server) An AKE pro- 
tocol using password, where there is no impact on other servers after the leakage 
of stored secrets from one server, is said to be desirable in the sense that an ad- 
versary, after obtaining verification data associated with a client’s password from 
one server, cannot retrieve the password that makes possible to impersonate the 
client to other servers of the Assumption f. That is, the password is completely 
protected against off-line attacks even if the adversary can get some verification 
data from servers. 

Of course, a client may change his password instantly to all servers at a time 
when he comes to know that stored secrets from one of the servers are revealed 
out. However, it triggers the burden on the client. 


Motivation. The motivation of this paper is on how to design an AKE proto- 
col that has immunity to the leakage of stored secrets from a client and servers, 
respectively, under the Assumption 4. That means the client need not change his 
password, even if stored secrets are leaked out from either the client or servers. 
However, we can easily deduce the following fact that there exists no AKE pro- 
tocol, which is immune to the leakage from a client and servers simultaneously. 

Fact 2 (Impossibility of Perfect Security) Any AKE protocol cannot 
achieve the strong security against the leakage from both a client and servers 
simultaneously. If an adversary obtains stored secrets from both a client and 
servers at the same time, he/she can perfectly simulate the protocol using the 
leaked secrets. Thus the adversary can try the password candidates off-line in 
parallel. 

This fact motivates us to achieve the next highest goal, i.e. the strong security 
against the leakage from a client and servers, respectively. Notice that our pro- 
tocol is not a kind of PAKE protocols, but a new one that requires one password 
and secret values on client’s side. 
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1.5 Our Contributions 

In this paper, we propose new AKE protocols that are immune to the leakage 
of stored secrets from both a client and servers respectively, as long as the leak- 
ages are not simultaneous, where the client keeps one password in his mind and 
stores secret values in devices. Specifically speaking, a client registers a partial 
secret value (which is not a share itself) of one password to a different kind of 
servers by means of a secret sharing scheme. The protocol of Section 2.2 is a 
generalized version in which the number of servers is fixed in advance whereas 
the second in Section 2.3 can be readily applied to the real world, simply because 
the latter considers synchronization between a client and one of the servers for 
registering a secret value. That means the client can compute a secret value with 
the same password at any time when needed to register to a necessary server 
without restricting the number of servers. In our protocols, an adversary obtain- 
ing stored secrets after the leakage from all of the servers (the client has been 
communicating with) cannot find out the password. Also, an adversary getting 
stored secrets after the leakage from the client cannot sieve out the password. 
More interestingly, the password remains information-theoretically secure even 
if the leakage of stored secrets from the client and servers happens, respectively. 

In addition to that, our protocols have the following advantages: (1) the 
proposed protocols can be constructed with small modifications of the widely 
used Diffie-Hellman key exchange protocol [12]. (2) the proposed protocols have 
a formal validation of security in the standard model (instead of the random 
oracle model [9]) under the assumption that DDH (Decisional Diffie-Hellman) 
problem is hard and MACs are selectively unforgeable against partially chosen 
message attacks (which is a weaker notion than being existentially unforgeable 
against chosen message attacks). 

Then, we extend our protocol of Section 2.2 to two protocols where one en- 
ables a client to update each of the secret values registered in different servers 
without changing his password (which might be remembered with considerable 
effort) 2 and the other enables a client to change his password with a new pass- 
word while updating each of the secret values in different servers. 

For better understanding, it may be helpful to state about what is different 
between our approach and T-PAKE protocols [33,36]. The main difference is that 
[33,36] cannot preserve its security (a client’s password) against off-line attacks 
if stored secrets from the threshold or more than the threshold of servers would 
be revealed, whereas ours can maintain it even after stored secrets from all of 
the servers (a client is communicating with) would be revealed out. That’s the 
reason why [33,36] proposed T-PAKE protocols in order to protect a client’s 
password from the leakage of stored secrets in a server where verification data 
(or function) associated with the password is distributed by a set of servers. 

2 This additional function is useful when we consider a situation where one admin- 
istrator of servers resigns with secret values (associated with clients’ passwords) in 
the server. However, recall that the frequent change of passwords rather increases 
the risk of password to be lost and cracked, simply because people tend to write it 
down on somewhere. 
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Contrarily, our protocols distribute secret values computed with the password 
by the client himself. Accordingly, if stored secrets from the threshold or more 
than the threshold of servers are leaked out in [33,36], clients’ passwords can 
be retrieved by an adversary which affects on different servers that don’t share 
any secret information one another under the Assumption 4. Besides, both the 
communication and the computation complexity of [33,36] are by far larger than 
ours. And, applications of [33,36] are restricted since a certain threshold of servers 
must take part in the protocol for authentication. 


1.6 Organization 

This paper is organized as follows: In Section 2, we propose new AKE protocols 
that have immunity to the leakage of stored secrets from not only a client but 
also servers, respectively. Section 3 shows how our protocols can remain resistant 
against off-line attacks even after the leakage of stored secrets from the client 
and servers, respectively. Then, we extend the proposed protocols in Section 4. 

2 Our Proposals: Leakage-Resilient AKE Protocols 

2.1 Scenario 

Here, we consider the following scenario that there are n — 1 3 disparate kinds of 
servers communicating with a client, who wants to use one password and secret 
values to produce cryptographically secure (or, high entropy) session keys with 
different servers at any time. 

Our protocols are defined over a finite cyclic group Q = (g) where \Q\ = q 
and q is a large prime (or, a positive integer divisible by a large prime). While 
Q can be a group over an elliptic curve, we assume that Q is a prime order 
subgroup over a finite field F p . That is, Q = {g l mod p : 0 < i < q} where p 
is a large prime number, q is a large prime divisor of p I and g is an integer 
such that 1 < g < p — 1, g q = 1 and g l / 1 for 0 < i < q. A generator of Q 
is any element in Q except 1. In the aftermath, all the subsequent arithmetic 
operations are performed in modulo p, unless otherwise stated. Both g and h 
are two generators of Q so that its DLP (Discrete Logarithm Problem), i.e. 
calculating 


a = log ff h, (1) 

should be hard for each entity. Both g and h may be given as system parameters 
or chosen with an initialization phase between entities. 

The protocols consist of the following four phases: an initialization phase, 
a secrecy amplification phase, a verification phase and a session-key generation 

3 In case of two-party protocols, n becomes 2. As our protocols also satisfy the two- 
party case, we set up n (2 < n < q), at the same time, in order to consider the 
multiple server scenario of Assumption 4. 
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phase. In the initialization phase, a client registers each of the secret values 
computed by himself to different servers. Then, he stores the corresponding secret 
values in devices such as smart cards or computers and keeps only one password 
in mind. In the secrecy amplification phase, secrecy of a weak secret, i.e. a human- 
memorable password that may be vulnerable against off-line attacks, is amplified 
to a strong secret (we call it a keying material) that is secure even against off-line 
attacks. In the verification phase, both client and server can confirm whether or 
not they share the same keying material using a challenge-response protocol with 
the keying material as its key. In the session-key generation phase, a session key 
is generated using the keying material. 


2.2 A Leakage-Resilient AKE Protocol 

We describe a construction for a leakage-resilient AKE protocol which is illus- 
trated in Fig. 1. The key idea behind our protocol is that a client can generate 
n shares of his password, where each of the n — 1 shares is used for registering a 
secret value to the corresponding server and the remaining one share (not itself) 
is stored in his devices in the initialization phase, only by inputting the password 
(as a secret value) into (n, n)-threshold secret sharing scheme of [7,37] . 


[Initialization] A client C, included in n entities, is willing to register each of 
the secret values generated by one password pw to the respective n — 1 different 
server Si (1 < i < n— 1). For simplicity, we assign the servers consecutive integer 
1 < i < n 1 where i can be regarded as each server’s ID and n as the client’s 
ID. First and foremost, the client picks a random polynomial p(x ) of degree n — 1 
with coefficients also randomly chosen in (Z /qL)*: 

n - 1 

p( x ) = a.j ■ mod q (2) 

j= o 

and sets ao = P w 4 where pw is the client’s password. After computing the 
respective shares p(i) (1 < i < n — 1) with the above polynomial, he registers 
securely each of the secret values h p ^' x * to the corresponding server S', (1 < i < 
n — 1) as follows: 


Si <- h p ^' Xi , where A* = J^[ . mod q (3) 

fc=i,k# k ~ 1 

where p(i) is a share of (n, n)-threshold secret sharing scheme and A* is a La- 
grange coefficient. Note that share p(n), which is for the client, is never regis- 
tered to any server. Then, the client just stores the corresponding secret values 

4 Instead of pw, a hashed value of the password can be used. In either case where both 
have the same entropy, it doesn’t affect on the security. 



Leakage-Resilient Authenticated Key Establishment Protocols 165 


Client C 


Server Si (1 < i < n — 1) 

n 4 -r (Z/gZ)* 


r 2 <-r (Z/gZ)* 

Vi «- g ri ■ hi ■ h~ pw 

Vi 

y 2 4- g r2 

2/2 

km c <— ( 2/2 • hi ■ h pw ) ri 


km s <— (j/i • 

in *- MAC kmc (Tag c \\ yi \\y 2 ) 

Vt 

v 2 ^ MAC kma (Tag s \\yi\\y 2 ) 

V 2 

If v 2 = MAC fcmc (Tas,||yi||io), 


Kv l = MAC kms (Tag c \\y 1 \\y 2 ), 

skc <T- MAC k m c (Tag sk \\yi\\y 2 ). 


sk s <— MACfc ms (Tag s fc||j/i|| 2 / 2 ). 


Fig. 1. A leakage-resilient AKE protocol. The underlined values represent stored secrets 
of client and server, respectively. 


hi (1 < i < n— 1) to the servers S t in devices, such as smart cards or computers, 
which may happen to leak the secrets hi and keeps his password pw in mind. 

h i «- (4) 

Of course, all the other (intermediate) values should be deleted from the devices. 


[Secrecy Amplification] When the client C wants to share a session key with 
one of the servers Si (1 < i < n— 1), he chooses a random number n <— r (Z/c/Z)*. 
Then, the client sends y\ to server S», after calculating t/i <— g ri ■ hi ■ h~ pw using 
the corresponding secret value hi to the server and his password pw that is 
partially shared with the server. The server Si also calculates y 2 «— g'" 2 ■ h p(l ^ x ’ 
with a random number r -2 r (Z/ql,)* and its secret value h p(l >' Xi (partial secret 
information about the password) registered by the client in the initialization 
phase, and then transmits it to the client. On both sides, the client’s keying 
material becomes km c ( 2/2 ■ hi ■ h~ pw ) ri and the server’s one becomes km s <— 

( Vl • h p ^y-. 

Only if the client uses the right password pw and the corresponding secret 
value hi to server S, : and the server Si uses the right secret value h pt - l ' , ' x < , both 
of them can share the same keying material that is obtained by Lagrange inter- 
polation: 

km c = (t /2 • hi ■ h~ pw ) ri = ^ g r 2 • h p ^' Xi ■ h El=1 ’ I * iP ^' Xl ■ h~ pw ^j = g r2 ' ri , 

(5) 

km s = (yi ■ h p( - z h Xi ^j = ^ ri • h s ”= . fo-p™ . — g ri r2 . (6) 

Otherwise guessing the other’s keying material is hard due to the DLP (see [38]). 
Also, adversaries cannot determine the correct password of the client through 
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off-line attacks since they don’t know the client’s random number rq chosen at 
the time and the secret value hi corresponding to sever Si, both of which are 
required to narrow down the password pw. 

This phase ends up with only one pass in parallel since both y\ and y 2 can 
be calculated and sent independently (where g ri ■ hi and y -2 are pre-computable). 
Additionally, the implementation cost of this phase is very low because it can 
be simply obtained from a small modification of widely used Diffie-Hellman key 
exchange protocol [12]. That’s why ft-pM-A, = hi ■ h~ pw . 

[Verification] In this phase, a pair of entities can verify whether they share the 
same keying material or not with a challenge-response protocol using the keying 
material calculated in the secrecy amplification phase. 

The client and the server calculate v\ <— M AC/ ;:mc ( T ag c 1 1 yi 1 1 y- 2 ) and V 2 <— 
M A C a- m s ( T ag s 1 1 yi 1 1 y 2 ) . respectively, using a MAC generation function MACfc(-) 
with the keying materials as its key k. Both Tag c and Tag s are pre-determined 
distinct values, e.g. Tag c = (ID c \\ID s \\Q0) and Tag s = (ID C \\ID S \\Q1) where 
ID C and ID S are IDs of the client and the server respectively. Then, they ex- 
change v\ and V 2 each other, before verifying V 2 = MACfc mc (To(/ s ||yi||y 2 ) and 
vi = MACfc TOs {Tag c \\y-[ 1 1 y 2 ) on both sides. If at least one of them does not hold, 
the corresponding entities wipe off all the temporal data including the keying 
materials, and then close the session. Otherwise they proceed to the session-key 
generation phase. 

Adversaries can try off-line attacks for the keying material using {(Ta<? c ||yi|| 
2 / 2 ) and iq} or { ( T ag s \ \ y\ 1 1 2 / 2 ) and U 2 }. The success probability achieved within a 
polynomial time t can be negligible if a strong secret can be shared in the secrecy 
amplification phase and an appropriate MAC generation function, whose keys 
are unguessable, is used. 

[Session-Key Generation] If the above verification phase succeeds in, the 
entities generate their session keys using the verified keying materials as follows: 

sk c <- MACfcm c {Tag s k\\yi\\y 2 ) (7) 

sk s <- M AC fcms (Ta&, fc | |t/i | |t/ 2 ) (8) 

where Tag s k is a pre-determined distinct value from both Tag c and Tag s , e.g. 
Tag s k = (ID c \\ID s \\ll). The generated session keys are used for their subse- 
quent cryptographic algorithms. 

The requirement for the MAC generation function in this phase and the 
previous phase is e mac (k 2 ,t, i ) can be negligibly small for a practical security pa- 
rameter k 2 and 4 (this is a polynomial of h> 2 ) ■ That’s the reason why if adversaries 
cannot forge a MAC corresponding to (Ta<jr s fc||yi||y 2 ) and krn c or km s with sig- 
nificant probability, they cannot obtain any information of the session key. This 
requirement can be satisfied by using a universal one-way hash function [34] or 
by using a practical MAC generation function, such as HMAC-SHA-1 [25] (and 
even KeyedMD5), since any effective algorithms have not been known so far to 
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make e mac >(k 2 ,t,i) non-negligible where e mac >(k 2 ,t,i) is larger than or equal to 

£mac(k2,t,i). 


2.3 A More Practical Leakage-Resilient AKE Protocol 

The proposed protocol in Section 2.2 deployed a (n, n)-threshold secret sharing 
scheme, in order to generate n — 1 secret values with each registered to n - 1 
servers respectively. That is, a client should determine the number of different 
servers in advance and register each of the secret values to the servers all at 
once. When it comes to the real world, it is desirable that a client be able to 
choose among a different kind of servers at his own will. Although a client in 
the protocol of Section 2.2 can choose n — 1 different servers, we show how to 
apply the proposed protocol to the case where the client can compute a secret 
value (from one password) at any time when needed. This approach will lead 
the protocol of Section 2.2 to be more simpler in the initialization phase, just by 
replacing (n, n)-threshold secret sharing scheme with (2, 2)-threshold one. 


[Initialization] A client C is willing to register a secret value generated by 
one password pw to one of different servers .S', where i can be regarded as each 
server’s ID. Every time when needed to register a secret value to a server, the 
client picks a distinct random polynomial Pi(x) (for the respective server Si) of 
degree 1 with coefficient an randomly chosen in (Z/qZ)*: 

Pi(x) = a.ij ■ = Ojo + oin ■ x mod q (9) 

j = o 

and sets a,o = pw where pw is the client’s password. After computing a share 
Pi{ 1) with the above polynomial, he registers securely a secret value h p ' (1 >' Xl to 
one of different servers Si as follows: 

Si <- h Pi ^' Xl , where Ai = 2 mod q (10) 

where Pi( 1) is a share of (2, 2)-threshold secret sharing scheme for the server S i: 
and Ai is a Lagrange coefficient. Note that share p,(2) is for the client. Then, 
the client just stores the corresponding secret value hi in devices and keeps his 
password pw in mind. 

hi <- h Pi ^' X2 , where A 2 = —1 mod q . (11) 

The rest phases of this protocol are as same as those of Section 2.2. 


3 Security 

This section shows the security of password in Section 2.2 against off-line attacks 
after the leakage of stored secrets from a client and servers, respectively. And the 
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security of password in Section 2.3, which is a case of n = 2 in (n, n)-threshold 
secret sharing scheme, inherits from Section 3 straightforwardly. Moreover, the 
security against on-line and off-line attacks of the below adversary can be proven 
in the standard model as Theorem 2. (For formal security proof, refer to [38].) 

In the security model of our protocol, we consider a far more powerful ad- 
versary who has ability to not only eavesdrop, modify and delete the messages 
exchanged by entities, but also to insert messages of its own choice. This adver- 
sarial power is modeled by giving the adversary oracle access to the instances 
of our protocol. In addition, the adversary is given access to a Leak oracle that 
simulates Assumption 1. That is, Leak oracle accepts an entity ID and then 
reveals the corresponding stored secrets. However, this oracle does not reveal 
stored secrets of its partner at the same time, because of Fact 2. 

3.1 Security of Password against the Leakage 

The primary goal of an adversary after obtaining stored secrets from a client 
and servers, respectively, is to perform off-line exhaustive search for the client’s 
password that makes possible to impersonate the client to other servers under 
the Assumption 4. 

Theorem 1 The password in our protocol of Section 2.2 remains information- 
theoretically secure against off-line attacks after the leakage of stored secrets 
from the client C and n — 1 servers Si (1 < i < n — 1), respectively. Even if 
an adversary obtains stored secrets from the Leak oracle, she cannot retrieve the 
client’s original password through off-line exhaustive search that is the best attack 
for the adversary. 

Proof. When an adversary gets secrets stored in devices from the client C and 
n — 1 servers Si (1 < i < n — 1) respectively, what she wants to know is the 
client’s password pw or a value associated with the password 


h pw _ h S^ = 1 p(m). A 


(12) 


Only if the above value h pw is computed, the adversary can narrow down the 
original password by checking possible password candidates with equation (12) 
one by one (through off-line exhaustive search). In order to simplify the proof, 
let us fix n = 5. 

First, we think of the security of password against an adversary who obtains 
stored secrets hi (1 < i < 4) of the client C and is trying to deduce h E ™= lP(rn> ' Xm 
for the client’s password pw. Below is the exponent part of hi 


log h hi' 


log/, h 2 


log/, h 3 


.log/, hi _ 




P( 1) ' Ai 


P( 2) • A 2 


P( 3) ■ A 3 


P( 4) • A 4 


p(5) • A 5 


(13) 
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Equation (13) means that the secrets hi (1 < i < 4) don’t reveal any information 
about the password pw, simply because each row contains 4 shares (the number 
of shares needed for the client’s password is more than that of ft* by one share) 
and each exponent part of hi is linearly independent one another. That is the 
adversary cannot compute h s ™= lp ( m ^' Xm with stored secrets hi. 

Second, we think of the security of password against an adversary who obtains 
stored secrets h p ^' Xi of all the servers Si (1 < i < 4) and is trying to deduce 
for the client’s password pw. Below is the exponent part of h p ^' Xi 


log h Si-> 
\og h S 2 — t 
log?, S 3 —$■ 
\og h S 4 -A 


10 0 0 
0 10 0 
0 0 10 
0 0 0 1 


0 

0 

0 

0 



P(l) • Ai 


P( 2) • A 2 


p(3) ■ A 3 


P( 4) ■ A 4 


p(5)-A 5 


(14) 


Intuitively, the number of shares included in h E ™= iP( m )’ Am is one more than that 
of /jP(») A. (l < i < 4), since each row only contains one share of (5, 5)-threshold 
secret sharing scheme. Although the adversary gathers all of the secret values 
from servers 5, (1 < i < 4), the number of shares is 4. That means the password 
is information-theoretically secure as a secret value of (5, 5)-threshold secret 
sharing scheme. 

□ 


Theorem 2 (Indistinguishability of sk) Suppose the following adversary A, 
which accepts a challenge transcript (that may be obtained by eavesdropping a 
protocol, impersonating a partner or intruding in the middle of the target enti- 
ties), and then asks q ex , q se , q re and qi e queries to the Execute, Send, Reveal, 
Leak oracles respectively, and finally is given sk x by Test s k oracle where sk x is 
either the target session key or not with the probability of 1/2. Then Adv^ dsfc , 
the advantage of adversary A to distinguish whether sk x is the target session key 
or not in a polynomial time t, is upper bounded by 

Adv^ dsfc < e ma c(k2,t, Qse + 2 q ex + Qre + 2) + 2 (q se + q ex + 1) • £ddh(ki,t) 

2 (q se + 1) 2(2^6 + q ex + 1) 

+ n + \g\ (15) 

where both ki and k 2 are the security parameters. 


4 Extensions 

It is reasonable that a client has control of each of the secret values registered 
in a different kind of servers and of password kept in his mind, regularly or 
irregularly. Here, we provide two extended versions of Section 2.2, simply by 
using a proactive threshold scheme [35] in which there is a basic assumption 
that an adversary who gets stored secrets from a server cannot take the update 
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information. One is for the secret-values update which enables a client to up- 
date each of the secret values stored in different servers without changing his 
password. And the other is for the password update which enables a client to 
change his password with a new one while updating each of the secret values in 
different servers. In the point of view of updating stored secrets, our approach is 
similar to those of key-insulated systems [13] and intrusion-resilient signatures 
[24] . However, the main difference is that we don’t use TRM (Tamper- Resistant 
Modules) to produce update information, which can be computed by the client 
himself in our protocol. We omit two versions of Section 2.3, whose extensions 
can be readily shown in the same way of Section 4. 

[Secret- Values Update (for Proactive Security)] When a client C, in- 
cluded in n entities, wants to update each of the secret values which has been 
registered to the respective n — 1 different servers S) (1 < i < n — 1) with 
new ones (to be generated by the same password pw), he picks another random 
polynomial p'(x) of degree n — 1 with coefficients randomly chosen in (Z/gZ)*: 

n—l 

p'( x ) = ^ (3j ■ mod q (16) 

j = i 

and sets /3 0 = 0. After computing the respective shares p'(i) (1 < i < n — 1) 
with the above polynomial, the client transmits securely each of the new secret 
values h p W’ Ai to the corresponding server S, (1 < i < n — 1) as follows: 

Si <- hP W' A » ; where A j = J^[ . mod q (17) 

fc=i,k#i k ~ 1 

where p'(i) is a new share of (n, n)-threshold secret sharing scheme and X, is 
a Lagrange coefficient. Consequently, each server Si can produce an updated 
secret value h^ p ^ +p W)' A< = h p ^' Xi -h p with multiplying the previous secret 
value h p ^' Xi by a new one h p W' Ai . Note that share p'(n), which is for the client, 
is never registered to any server. Then, the client also updates and stores the 
corresponding secret values hi = h I ‘ l = 1 ’ l ^ p ^ +p WlA (1 < i < n— 1) in devices 
and keeps the same password pw in mind. 

hi ^hi-h E "=^ p ' {l) - Xl . (18) 

Of course, the client doesn’t need to update secret values stored in different 
servers Si (1 < * < n— 1) simultaneously. That means he can update each of the 
secret values in servers at any time, only if the client chooses a different random 
polynomial every time. 

[Password Update] If a client C wants to change his password pw with a new 
one pw new while updating each of the secret values registered to the respective 
n — l different servers 5) (1 < i < n—l), he follows the above secret- values 
update in the same way except that the client picks another random polynomial 
p"(x) of degree n — l with coefficients randomly chosen in (Z/gZ)*: 
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p"(x) = ^2 7 j ' m °d Q (19) 

j=o 

and sets 70 = — pw + pw new where pw new is the client’s new password. 
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Abstract. A fair network payment protocol plays an important role 
in electronic commerce. The fairness concept in payments can be illus- 
trated as that two parties (e.g. customers and merchants) exchange the 
electronic items (e.g. electronic money and goods) with each other in a 
fair manner that no one can gain advantage over the other even if there 
are malicious actions during exchanging process. In the previous works 
of fair payments, the buyer is usually required to sign a purchase mes- 
sage which can be traced by everyone. The information about where the 
buyer spent the money and what he purchased would easily be revealed 
by this way. This paper employs two techniques of off-line untraceable 
cash and designated confirmer signatures to construct a new fair pay- 
ment protocol, in which the untraceability (or privacy) property can be 
achieved. A Restrictive Confirmation Signature Scheme (RCSS) will be 
introduced and used in our protocol to prevent the interested persons 
except the off-line TTP (Trusted Third Party) from tracing the buyer’s 
spending behavior. 

Keywords: Cryptography, Electronic cash, Payment System, Undeni- 
able Signature, Designated Confirmer Signatures, Electronic Commerce. 

1 Introduction 

How the two parties, buyer and merchant, exchange the currency and electronic 
goods through the network in a fair manner is the crux of the problem on elec- 
tronic transactions. Since most of the electronic businesses are conducted on 
an open and insecure network, how to prevent the abnormal behavior, such as 
malicious termination of the payment process, becomes a critical security con- 
sideration on designing a fair payment protocol. A buyer who makes a payment 
in the network is usually worried that the merchant may refuse to deliver the 
soft goods though he has sent the money. On the other hand, a merchant will 
worry that he cannot receive the deserved money after the delivery of goods. 
Since these two parties do not trust each other, no one wants to send his secret 
data until receiving the other’s. 

Two approaches to the achievement of fair exchange have been proposed. 
The first one is that two parties exchange data simultaneously [EGL85,0094]. 

C.S. Laih (Ed.): ASIACRYPT 2003, LNCS 2894, pp. 173-187, 2003. 
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A simplified example to provide simultaneity is that they disclose the secret 
data bit by bit. This kind of scheme has a drawback that it requires many 
steps of interactions for exchanging data. In addition, one of these two parties 
will have an advantage of obtaining one more bit if he maliciously aborts in 
the middle of the protocol. The second approach is that a trusted third party 
(TTP) is involved in the exchange process. A straightforward method is that an 
on-line TTP who acts as a mediator receives the data from both parties in each 
transaction and then forwards them to the accurate receivers [DGLW96,ZG96]. 
However, TTP would become a bottleneck on communications since he takes 
part in all transactions, including the normal cases in which two parties honestly 
deliver their data. To improve the performance, a novel model called the off- 
line TTP has been proposed. In this model, TTP is required to participate in 
the exchange protocols only when the abnormal terminations or faults occur 
[ASW00,ZG97,BDM98,BF98,Che98]. That means TTP is always able to solve 
the disputes between two parties but he need not take part in all transactions. 

Previously, fair payments seemed to be achieved by use of fair exchange on 
signatures. For example, two parties can exchange the secret message (soft goods) 
and the signatures on purchase information. In [ASW98,BDM98,ASW00], a gen- 
eral concept of the fair exchange on signature with off-line TTP is explicated as 
that one party A sends the encrypted signature to B and convinces B that it is 
valid and can be decrypted by TTP, without revealing the content of signature. 
If B completes the verification, he will send his signature (or secret data) to A. 
In a normal case, A should send his correct signature to B after he received B’s 
signature. However, if A maliciously aborts the protocol and refuses to send B 
his signature, B can deliver A’s encrypted signature to the off-line TTP for de- 
cryption. The main technique used in these papers is called verifiable encryption 
protocol or escrow system [Sta96,Mao97]. However, a generic and efficient con- 
struction on verifiable encryption is difficult to implement. Bao et al. [BDM98] in 
their paper proposed a special implementation with the modified GQ signature 
algorithm, in which they claimed that the verifiable encryption protocol of the 
scheme was quite efficient. Unfortunately, Boyd et al. showed that the fairness 
could be destroyed because the receiver (or any observer) could directly calculate 
the sender’s signature from the encrypted signature without the help of TTP 
[BF98] . 

Recently, Boyd et al. [BF98] and Chen [Che98] proposed the efficient fair 
exchange protocols with off-line TTP by using verifiable confirmation signa- 
tures (Boyd et al. called them designated converter signatures to emphasize 
their conversion property). A designated third party, e.g. TTP, can verify the 
original signatures with interactive protocol or convert the signatures into the 
self-authenticated signatures which can be verified by everyone. Their proposed 
schemes are generic constructions for fair exchange and can efficiently run over 
the Internet. 

Our Contributions. Pervious works of fair exchange are not really suitable for 
many applications on network payments because they are only used to exchange 
the confidential data or signatures. Especially, many payment applications need 
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to protect the buyer’s purchase privacy, which has never been considered in the 
previous papers. In our view, a complete solution for fair payment should contain 
payment actions, such as electronic cash or network credit card method, instead 
of simply signing the purchase information. Our proposed protocol is the first 
work to provide a protection on buyer’s privacy and it can be regarded as a 
process of fairly exchanging electronic coins and secret information. The main 
contributions in this paper are listed as follows: 

1. Propose a generic model for real fair network payments. 

2. Apply a subtle tool of Restrictive Confirmation Signature Scheme (RCSS) 
to achieve the property of untraceability. 

3. Design a new technique of pseudo e-coin to achieve fairness of exchanging 
the electronic cash. 

4. Demonstrate how to construct a practical and efficient fair network payment 
protocol based on the Brands’ e-cash scheme [Bra93b] . 

The rest of the paper is organized as follows. We describe the basic model 
of untraceable fair payment protocol in Section 2. In Section 3, we introduce 
an useful scheme called Restrictive Confirmation Signature Scheme (RCSS), a 
basic component for establishing our new protocol. In Section 4, we combines 
the RCSS and the Brands’ electronic cash scheme to realize our protocol. In 
Section 5, we show the security analysis and properties discussion. Finally, the 
concluding remarks and future researches are given in Section 6. 


2 The Basic Model 

We abstractly describe our works in this section. Assume that four parties: the 
buyer (W), the merchant (M), the bank (B) and the trusted third party (TTP) 
are involved in the protocol. In a general e-cash scheme, fairness can not be 
achieved because the buyer is required to send true electronic coins (e-coins) to 
the merchant. Instead, this paper designs a technique of pseudo e-coin which 
can be converted to a true one by TTP. The buyer applies the Restrictive Con- 
firmation Signature Scheme (RCSS) (described in Section 3) to sign an order 
agreement that contains the buyer’s and the merchant’s names, price of goods, 
purchase date/information and some other parameters. The RCSS can properly 
protect the buyer’s purchase information by restricting the confirmer’s confir- 
mation capability on the signature. 

Definition 1. (Restrictive Confirmation Signature Scheme (RCSS)). 

Let SignDCs(S,C,m), which is signed by S and can be confirmed by C, be a 
designated confirmer signature [Cha9f] (or called a confirmation signature by 
[Che98]) on the message m. Assume that a group of verifiers Q = 
are pre- determined by S. We say that Signncss(S > C,Q,m) is a restrictive con- 
firmation signature on m if C can convince only some specified verifiers V) € G 
that SignRcss(S,C,G,m) is valid and truly signed by S. 
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Three procedures similar to a general e-cash (withdrawal, payment and de- 
posit) are briefly depicted in the following. When a dispute occurs, the TTP is 
required to participate in an additional procedure Disputes to force the comple- 
tion of the payment process. 

Withdrawal. The buyer U withdraws the money from the bank B. A blind 
signature applied here can guarantee the unlinkability for the bank. The with- 
drawal procedure in our protocol is the same as the one in the general e-cash 
scheme. After this procedure, U obtains an electronic coin which can be directly 
paid to the merchant. 

Payment. The buyer U and the merchant JA exchange the electronic money and 
goods in this procedure. We assume U and JA negotiate an order agreement that 
contains merchandise items and price. The buyer U then sends enough pseudo 
e-coins and a signature of RCSS on the order agreement to JA. To prevent the 
merchant from maliciously delivering the flawed goods, the buyer doesn’t send 
true e-coins to the merchant until he checks and accepts the goods. 

1. The buyer U selects the goods from merchant JA’s web and signs an order 
agreement: 

9 = Sign RC ss(U, M, TTP, OA), 

where OA = {I Du, I Dm, purchase date /in formation, goods description, 
coin parameters}. 

2. The buyer U sends the pseudo e-coins and 6 for the goods to the merchant 
M. 

3. The merchant JA verifies whether the pseudo e-coins and 9 are valid. If 
both checks pass, JA sends the goods to U. The merchant JA can gain a 
conviction in this step that he can prove the validity of 9 to TTP and ask 
TTP convert the pseudo e-coins into true e-coins if some faults occur in the 
rest of payment process. 

4. U checks the goods delivered by JA. If the goods is valid, U sends his true 
e-coins to JA. 

Disputes. Two possible disputes may occur during payment. JA may refuse to 
send U the goods or cheat U by sending flawed goods. In this case, U will not 
send the true e-coins to JA if he does not receive or accept the goods. On the 
other hand, U may refuse to send the true e-coins to JA after he receives the 
valid goods. If so, JA will begin the following procedure to ask TTP convert the 
pseudo e-coins into true ones. 

1. The merchant JA sends pseudo e-coins, OA and 9 to TTP and proves that 
9 is a valid signature and truly signed by U. Note that no one except JA 
and TTP can be convinced that 9 is valid, since RCSS is applied to the 
construction of 9. 

2. JA privately sends goods to TTP. TTP checks whether the specification of 
the goods is consistent with the field of goods description written on OA. If 
yes, TTP sends JA a transformation certificate ( TCer ) which can be used 
for the conversion of the pseudo e-coins. 
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An abnormal action is addressed here that M may abort the step 3 in the 
payment procedure and directly ask TTP to send him TCer after he receives 
the pseudo e-coins. However, M must send TTP the valid goods since TTP has 
the responsibility to carefully check the goods specification. 

Deposit. Generally, the merchant M. can forward the payment transcript, in- 
cluding the true e-coins, to the bank. However, if the payment process is mali- 
ciously aborted by U, M. can sends the partial payment transcript with pseudo 
e-coins plus the transformation certificate (TCer) delivered by TTP to the bank 
for deposit. 

3 The Restrictive Confirmation Signature Scheme 

In the general designated confirmer signature [Cha94,Oka94,MS98,NMV99], a 
confirmer can help every recipient prove the validity of the signature to oth- 
ers. That means the confirmer has the complete capability of deciding who will 
benefit from being convinced by a signature. However, this property doesn’t 
meet the requirements of our protocol. In this section, we will illustrate how to 
construct a Restrictive Confirmation Signature Scheme (RCSS) . The basic struc- 
ture of RCSS is similar to [WC03] but both schemes have different purposes. The 
concept of RCSS is that we disallow that the confirmer arbitrarily chooses the 
verifiers; the signer predetermines one or more verifiers whom the confirmer can 
convince later. We provide a nice approach to add the simulatability into an 
undeniable signature [CA89,Cha90,CHP92,GKR97]. Hence the signer can later 
create the proofs in an non-interactive way to delegate confirmer the capability 
of confirmation of the signature. 

In the following, we first give some informal definitions and techniques used 
in this scheme. 

Definition 2. (Trap-Door Commitment (also see [BCC88,JSI96])). 

Let c be a function with input ( y , u, v). The notation y denotes the public key of 
the user whose corresponding secret key is x, u is a value committed to and v is 
a random number. We say c is a trap-door commitment if and only if it satisfies 
the following requirements: 

1. No polynomial algorithm, when given y, can find two different pairs of 
(ui,vi) and ( U 2 ,V 2 ) such that c(y,u\,v-\) = c(y,U 2 ,V 2 ). 

2. No polynomial algorithm, when given y and c(y,u,v), can find u. 

3. There exists a polynomial algorithm that, when given the secret x, (ui,iq) 
and a randomly selected number U 2 , can find V 2 such that c(y,u\,vf) = 
c(y,U 2 ,V 2 ) ( That means the user who knows the secret x, given (ui,vi), can 
easily forge the committed value by changing u\ into U 2 ). 

The following example was suggested by [BCC88,JSI96]. 

Trap-Door Commitment Example 

Let p and q be two large primes and q\p — 1. The notation g denotes a generator 
of the subgroup, G q , of Z* of prime order q. The recipient’s secret key is x £ Z q * 
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and the corresponding public key is y = g x mod p. The sender randomly selects 
v £ Z q * and commits the value u £ Z q into c as the following: 

c = g u y v mod p. 

The sender sends (u, v ) to the recipient for decommitting. 

Trap-Door Commitment for Multiple Recipients 

Jakobsson et al. [JSI96] proposed an efficient trap-door commitment scheme for 

multiple recipients T\ ,i = 1,2 n. They modified the commitment to be 

c = 9 u i nr=i Ui) v mod p, where y,; denotes Pf s public key. Each P, would be 
convinced by the proof that u cannot be forged by others as long as he knows 
his secret key has not been compromised. Any other user would not gain this 
conviction since all P i; i = 1 , ,n can collude to cheat him. 

Definition 3. (Message-dependent Proof of Equality of the Discrete 
Logarithm [Pet97]). A message-dependent proof of equality of the discrete 
logarithm of y\ to the base g\ and y 2 to the base g 2 is a two-tuple ( w , z) = 
Proof i, ogE Q{nu </i , ?/i , g 2 . y-i)? where w = F(m\\g 1 \\y 1 \\g 2 \\y 2 \\gi z yi w \\g 2 z y 2 w ) 
and F is a collision resistant hash function. 

This proof shows that the prover knows the discrete logarithm x : log 9l (yi) = 
loQgAyP)- T° construct this proof, the prover randomly selects k £ Z q * and cal- 
culates w = F(m\\g 1 \\y 1 \\g 2 \\y 2 \\gi k \\g 2 ) and z = k-xw mod q. 

Definition 4. (Designated Verifier Message-dependent Proof of Equal- 
ity of the Discrete Logarithm). Let V denote a designated verifier who has a 
secret key/public key pair (xy, yv = 9 XV mod p). A designated verifier message- 
dependent proof of equality of the discrete logarithm ofyi to the base g\ andy 2 to 
the base g 2 is a four-tuple ( w,z,u,v ) = Proof DVLogE Q{rn,c,g 1 ,y 1 ,g 2 ,y 2 ,yv), 
where w = F{m\\c\\g 1 \\y 1 \\g 2 \\y 2 \\gi z yi {w+u) \\g 2 z y 2 {w+u) ) and c = g u y v v mod p 
is a trap-door commitment. 

The prover, using this proof, only can convince the designated verifier V that 
he knows the discrete logarithm x : log 9l (yi) = loggfiyf). To construct this 
proof, the prover randomly selects u,v,k £ Z q * and calculates c = g u yv v 'mod p, 
w = P(m||c||yi||yi|| 5 ( 2 ||y 2 ||yi fc ||fl 2 ) andz = k- x(w + u) mod q. 

Definition 5. (Interactive Bi-proof of Equality (see [F0092,MS98])). 

Fujioka et. al. in 1992 proposed an interactive bi-proof system that either proved 
log a (Y ) = logp(Z) or proved log a (Y) ^ logp(Z). This proof system can be used 
to construct RCSS in which the confirmer can prove the validity of the signature 
to the pre-determined verifiers. We use BP{a,Y, (3, Z) to represent this proof 
system. We omit the detail protocol here, the reader can refer to [F0092]. 

Construction of RCSS 

The previous works of designated confirmer signatures used the general self- 
authenticated signature (e.g. RSA, Schnorr [Sch91] and extended Fait-Shamir 
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scheme) to construct their schemes. However, it is difficult for these schemes 
to restrict the confirmer’s confirmation capability. Here, we use the message- 
dependent proof of equality (in Definition 3 and Definition 4) and non-interactive 
undeniable signature [JSI96] to construct the RCSS. We also use a = g f mod p 
and b = yc f mod p, where yc denotes the confirmer’s public key, to add the sim- 
ulatability to the signature. In addition, we slightly modify the hinging method 
described in the scheme of [Cha94] and [MS98] . The following procedure demon- 
strates how to pre-determine a single verifier for a signer; however, it is easy to 
construct an extended scheme to multiple verifiers. 

— System Setup. The parameters p, q and g are the same ones described 
previously, and F\ , F 2 are two collision resistant hash functions. The secret 
key /public key pairs of the signer S, the confirmer C , the recipient R and 
the verifier V are ( xs,ys = 9 XS 'mod p), ( xc,yc = 9 XC mod p), (xn,yn = 
g XR mod p) and (xv-'IJv = 9 XV mod p), respectively. 

— Signing Protocol. Assume the signer has signed a undeniable signature 
(a, b, 6) on message m related to the confirmer’s public key, i.e., a = g t mod p, 
b = yc * mod p and S = (Fi(m||a) + b) xs mod p (note that t is randomly 
selected by S ) . For delegating C the ability of confirming this signature, the 
signer randomly selects k, u, v\, v 2 and constructs a proof of 

(w,z,u,v 1 ,v 2 ) = Proof DVLogE Q(c, g,ys, -fi(m||a) + b,S,y v ), 

where c = (ci||c 2 ), ci = g u y v Vl modp , c 2 = g u yc v 2 modp, w = F 2 (c||gi||ys|| 
Fi(m||a) + 6|| j||5 fc ||(Fi(rn||a) + b) k ) and z = k — xs(w+u) mod q. Note that 
we eliminate the first parameter to in Proof DVLogEQ because the message 
has been included in other parameters: Fi(m\\a) + b and 6. Thus, the RCSS 
on to denotes Signncss(S, C, V , to) = (a, b, u, vi,v 2 , w, z, £). 

— Proof by the Signer. In the original definition of designated confirmer 
signature scheme, the signer can convince the recipient R that a confirmer C 
can help R prove the validity of the signature to V. However, according to our 
basic model in Section 2, the confirmer C also plays the role of the recipient 
R. That means C will be convinced that he is able to prove the validity 
of the signature to V in this procedure. C checks the proof by computing 
c= (( g u yv Vl mod p)\\{g u yc v * modp)) and verifying 

w = F 2 (c|| 5 ||y 5 ||F 1 (TO||a) + b\\S\\g z y s ^ +u) \\(Fi(m\\a) + b) z 6 (“'+“>). 

To prove the relation of a and b, the signer needs to run the interactive proto- 
col of bi-proof BP(g,a,yc,b) (see Definition 5) to show log g (a) = log yc (b). 

— Confirmation Protocol. The confirmer C can prove the validity of the 
signature to V by running the interactive protocol bi-proof BP(g,yc,a,b) 
with V to show log g (yc) = log a {b). The verifier V needs to check whether the 
signature (a, b, u, v\,v 2 , w, z, S) is created properly, and he can be convinced 
that the signature is valid if he accepts the proof of BP(g, yc, a , b). 
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— Conversion Protocol. The confirmer can convert the designated confirmer 
signature to a general non-interactive undeniable signature. Since the signer 
has constructed the designated verifier proof in a non-interactive way, V can 
check the validity of the signature by himself. The verifier V no longer needs 
to ask C to help him verify the signature. Here, C randomly selects o £ Z* 
and computes E = a? mod p and T = o + xcF(a, E) mod q, where F is also 
a hash function. The confirmer sends (E, T) to the verifier V, thus, V can 
verify a T = Eb F ( a ’ E > [Cha94], 


Security of RCSS 

Here, some security properties will be considered for RCSS. 

Unforgeability. The forgeability problems that the intruder I tries to forge 
( a*,b*,S *) without access to secret key xs, can be illustrated with two scenarios. 
The first one is that I selects a message m*, a* and computes b* = Fi(m||a) + 
b — F\(m*\\a*). However, the b* which I can easily calculate would not have the 
same discrete logarithm as a* has because F\ is a collision resistant hash function 
whose output is approximately random. The second one is that / randomly 
selects t* £ Z q * and compute a* = g 4 * and b* = yc** ■ In this attack scenario, I 
can not find a proper to* to satisfy the equation Fi(m*\\a*) + b* = Fi(m||a) + b 
since inverting an one-way hash function F\, given its output, is computationally 
infeasible. 

Indistinguishability. Given a random number a*, a simulated signature on the 
message to* can be represented as ( a*,b*,u , vl,v2, w, z, (5) where b* = Fi(m\\a) + 
b— Fi (to* 1 1 a*). The verifier cannot distinguish between the correct signature and 
simulated signature because he knows nothing about the discrete logarithm of a* 
to the base g and b* to the base yc ■ Hence, without confirmer’s help, the verifier 
would not be convinced that both discrete logarithms of a* and b* are equal. 
The indistinguishability of RCSS can also be proved by Decision-Difhe-Hellman 
assumption [MS98]. 

The following lemma shows that no one except the confirmer C and the 
designated verifier V can be convinced that the RCSS is correctly constructed 
and truly signed by S. Note that C and V can be convinced by the proof of 
the signature because they know their secret keys have not been compromised; 
however, others cannot obtain this conviction since they know that C and V are 
able to collude to create a simulated transcript to cheat them. 

Lemma 1. (Simulating Transcripts of RCSS). The confirmer C and des- 
ignated verifier V can collude to create a simulated transcript of RCSS without 
accessing the signer’s secret key xs ■ Assume that V randomly selects aq and com- 
putes Ci = g ai mod p, and C randomly selects a 2 and computes c 2 = g a2 mod p. 
Thus they can compute the following simulated transcript by cooperatively choos- 
ing the random numbers (3,t,z £ Z q * : 

c= (ci||c 2 ), 

a = g T mod p, 
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b = yc T mod p, 

w = F 2 (c\\g\\y s \\F 1 (m*\\a) + &||<T||^/||(F 1 (m*||a) + 
u= (0 — w) mod q. 

V and C individually computes v\ and V 2 as below: 

vi = (oil — u)(xv)~ l mod q, 

V 2 = (012 — w)(a;c) _1 mod q. 

4 The Realization of Our Fair Network Payment Model 

Brands in 1993 proposed a nice approach to untraceable electronic cash [Bra93b] . 
In this section, we will present an untraceable fair payment protocol based on a 
modification of Brands scheme. We develop a pseudo e-coin technique combined 
into the payment procedure. Some mathematic definitions are omitted here, and 
the reader can refer [Bra93b] for further details. 

The concept of pseudo e-coin technique is to create a designated confirmer 
signature (DCS) by which the merchant can be convinced that there exists a 
trusted third party (TTP) who can convert DCS into a self-authenticated sig- 
nature. Therefore, if the merchant later does not receive the true e-coins from 
the buyer, he would ask TTP for a transformation certificate TCer. 

We explicate an off-line fair payment in the following procedures. For simpli- 
fying the notation, we redefine all symbols in this section except some common 
parameters such as p, q and g (Note that the symbols used in this section have 
different definitions from that in Section 3). 

Setup. Let p and q be two large primes as defined in Section 3. The bank 
B publishes a generator-tuple (g. g-i , g-i) in G q and two collision-resistant hash 
functions H : G q x G q x G q x G q x G q x G q -» Z q * and Ho : G q x G q x ID x 
DATE/TIME — > Z q * . B also generates a random number X& € Z* as his secret 
key corresponding to a public key ys = g XB mod p. 

Account Opening. The buyer U randomly selects u\ € Z q * and transmits 
I = 9i Ul mod p to B if Ig% / 1. The identifier I used to uniquely identify U 
can be regarded as the account number of U. Then B publishes g\ XB mod p 
and g 2 XB mod p so that U can compute z = (Ig 2 ) XB = (gi XB ) Ul gi XB mod p for 
himself 1 . 

Withdrawal. The buyer li performs the following protocol to withdraw a single 
e-coin from the bank: 

1 Chan et al. [CFMT96] have proposed a problem of mis-representation of identities 
for Brands’ scheme (Brands commented that it is only an inadvertent omission and 
the similar result has been presented in [Bra93a]). This problem can be efficiently 
solved by applying a minimal-knowledge proof to prove the correct construction of 
I during the account opening stage. 



182 Chili-Hung Wang 


1. B randomly selects w € Z* and sends ei = g w mod p and e 2 = ( Ig 2 ) mod p 
to U. 

2. U randomly selects s, x\ and x 2 in Z* and computes A = {Ig^Y mod p, 
B = gi Xl g 2 X2 mod p and z' = z s mod p. U also randomly selects u, v 
and t c in Z* and computes e\ = e\ u g v mod p, e 2 = e 2 SU A V mod p and 
( a c ,b c ) = ( g tc mod p,yrTP tc mod p). Then U sends c = d /u mod q to B, 
where d = H(A, B , z' , e\ , e 2 , b c ) + a c mod q. Note that (a c , b c ) is a pair of 
confirmation parameters. 

3. B sends r = cx R + w mod q to U. 

4. U verifies whether g r = ys c e i mod p and (I g^f = z c e -2 mod p. If the 
verification holds, U accepts and computes r' = ru + v mod q. Note that 
< A, B, ( z e\ , eY , d, a c , b c ) > represents a single pseudo e-coin. 


Payment. The buyer U and the merchant M. exchange the e-coins and the soft 
goods in this procedure. The following protocol will be done (Note that we add 
the subscripts to some symbols to represent the multiple e-coins). 

1 . The buyer U selects goods and signs an order agreements 
6 = Sign RC ss{U , M. TTP, OA), 


where OA = {I Du, I Dm, purchase date /in formation, goods description, 
(Ai,Bi)i=i t 2 ,..., n } and n denotes the number of e-coins for the goods which 
U wants to buy. 

2. The buyer U sends the unused e-coins < A t . Bi, (z[, e' u , e' 2l , r', a c i, b c i) >, for 
i = 1, 2, . . . , n, to M. 

3. The merchant A4 verifies the pseudo e-coins and 9. If all of them are valid and 

Ai ^ 1, for i = 1, 2, • • • , n, then he sends dj = Bi, I D M , date /time) 

to U. et al. 

4. The buyer U sends k u = dj(uijSj) + mod q and k 2 i = diSi + x 2 i mod q, 
for i = 1 . 2. • • • , n, to the merchant A4. In addition, the buyer U must run 
the interactive protocol of bi-proof BP(g, a c i, pttp, b C i) with M. to show all 
log g {a ci ) = log yTTP {b c i). 

5. The merchant M. will accept these pseudo e-coins and payment transcripts 
< Ai, Bi, {z[, e' u , d^r'u a c i, b c i), (di, ku, k 2 i) >, for i = 1, 2, . . . , n, if the fol- 
lowing verifications hold: 




4j, and 


If the above verifications pass, the merchant M sends the soft goods to the 
buyer U. 

6. The buyer U checks the soft gooods delivered by A4. If it is flawless, he 
releases t C j, for i = 1,2 ,--,n, to the merchant M. Since each one can 
check a c i = g tci mod p and b ci = yTTP tci mod p by himself, the coin < 
Ai,B i ,{z' i ,e' u ,e 2 i ,r' i ,a C i,b C i,t c i),{di,ku,k 2 i) > denotes a true e-coin that 
can be directly cashed from the bank. 
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Disputes. If U refuses to send t cl to the merchant M (see the Step 6 in the 
Payment procedure), M will begin the dispute process in which the TTP can 
convert the pseudo e-coins into the true e-coins. 

1. The merchant M sends the order agreement OA, the signature 9, soft goods 
and pseudo e-coins < Ai,B i ,(z' i ,e' li ,e 2i ,r' i ,a ci ,b c i),(d i ,ku,k 2 i) >, for i = 
1,2, •••,«, to TTP. 

2. The TTP checks the validity of the soft goods, pseudo e-coins and signature 
9. If the pseudo e-coins are constructed properly, the soft goods transmitted 
from M. is consistent with the description in OA, and 9 is valid, TTP sends 
M a transformation certificate TCer = ( E c i,T c i ), for i = 1, 2, ■ ■ ■ , n, to 
M., where E ci = aff mod p (a,; is a random number selected by TTP) and 
T c i = (J,_ + XTTpF(a c i, E c i) mod q. The transformation certificate can be 
used to verify the relation of a C j and b cl by the following equation: 

a ^t E ci b c i F ( aci ’ Ec * > mod p 

3. TTP sends the soft goods to the buyer U. 

Deposit. In a normal case, A4 forwards the payment transcript and the true 
e-coins < A i ,B i ,(z' i ,e' li ,e' 2i ,r' i ,a c i,b c i,t c i),(di,ku,k 2 i) >, for * = 1, 2, • • • ,n, to 
the bank for deposit. Nevertheless, if the buyer U maliciously aborts the payment 
process, M can start the dispute process to acquire the TCer from TTP. In this 
situation, the pseudo e-coins < A t , B t , (z\, e' u , e' 2i ,r\, a c i, 6 c j), (dj, ku, & 2 i) > plus 
TCer = ( E c i , T ci ), for i - 1, 2, • • • , n, can be the valid tokens for deposit. We also 
can regard < A±, Bi, (z\, e' u , e! 2i ,r\, a c i, b c j), ( dj , ku, foj), (E c i, T c j) > as a true e- 
coin with different form. 

5 Security Issues 

The security of our new protocol relies on Brands’ e-cash scheme and RCSS. The 
following properties are provided to prove the fairness and untraceability which 
are both pivotal features in our protocol. 

Proposition 1. (Unforgeability). No one except U can create his own pseudo 
e-coins < A t , Bi, (z\, e' u , e'^rl, a c i, b c i), ( d* , ku, fei) >, for i = 1, 2 ,... ,n. 

This proposition holds because the Brand’s e-cash scheme is secure. The 
possible scenario of forging the e-coins is that the attacker randomly selects 
u\i, Si, x i, and x~ 2 i in Z* and computes A, = {g\ Uli g 2 ) Si mod p and Bi = 
g 1 Xli g 2 X2i mod p. In this case, the attacker can randomly select z\, r' and A, to 
compute e' u = g Ti yB~ Xi and e' 2i = A, i z' i *. The purpose of the attacker is to 
find the proper a* ci and b* ci such that A i = / H(A i , Bi, z\, e' u , e' 2i , b* c f) + a*,. How- 
ever, though the attacker can easily calculate a*, = A,; — / H(A i , Bi, z[, e' u , e 2i , b* ci ) 
by randomly selecting a value of b* ci , it is computationally infeasible for the at- 
tacker to find a*i and b* ci which have the same discrete logarithm because H is 
a collision resistant hash function whose output is approximately random. 
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Proposition 2. (Indistinguishability). No one can distinguish between a 
valid pseudo e-coin and a simulated one without the help of the buyer or TTP. 

According to Proposition 1, a simulated pseudo e-coin can be represented 
as < = di(u~uSi) + x~u,k 2 i = diSi + x~ 2 i) >■ 

Any interested party, such as a bank, cannot distinguish between a properly 
constructed pseudo e-coin and a simulated pseudo e-coin without the help of the 
buyer or TTP, because the bank knows nothing about the discrete logarithm 
of a* ci to the base g and b* cl to the base %)tt p ■ That means the bank cannot 
be convinced that the discrete logarithms of both a* ci and b* ci are equal. This 
property indicates the fairness that even if the buyer U sent the pseudo e-coins 
to the merchant M. before he receives the soft goods, the merchant A4 cannot 
gain the advantage over U. 

Proposition 3. (Convertibility). If M. accepts the pseudo e-coins, it is guar- 
anteed that TTP can later convert the pseudo e-coins into the true e-coins which 
can be directly deposited in the bank. 

This proposition can be proven by the confirmation signatures [Cha94,MS98] . 
The merchant A4 cannot accept an invalid pseudo e-coin except with negligible 
probability. 

Lemma 2. (Fairness). If the propositions of unforgeability, indistinguishabil- 
ity, and convertibility hold for our newly proposed payment protocol, it can be 
guaranteed that, at the end of the transaction, the buyer U can obtain the soft 
goods if and only if the merchant M. can gain the equivalent true e-coins. 

Clearly, if two parties of U and M are honest, the fairness can be achieved 
without interacting with TTP. The rest of the condition is that one of li and 
M is dishonest. The unforgeability can guarantee that U cannot fool M by 
delivering the invalid pseudo e-coins, and the convertibility can prevent IA from 
refusing to send true e-coins or sending the forged e-coins to M.. On the other 
hand, if M. is dishonest, he may refuse to send valid goods to U after he receives 
the valid pseudo e-coins. However, because of the indistinguishability, M. cannot 
receive the useful e-coins for deposit if he cheats during the payment procedure. 

Lemma 3. (Untraceability). No one except A4 and TTP can confirm the sig- 
nature 9. That means only M. and TTP can be convinced that the order agree- 
ment OA is valid. 

This lemma holds because the signature 9 is created by RCSS. Thus M. can 
only convince TTP that 9 is really signed by U. The security of RCSS has been 
discussed in Section 3. 

Lemma 4. (Unlinkability). The bank or other parties can not link a coin 
< Ai,Bi, (z'^eu ,e- 2 i ,rf ,a c i,b c i) > to the original owner. 

This lemma can be proven by using blind signature property of withdrawal 
procedure in [Bra93b]. 
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Coin Size. Compared to the Brands’ scheme, the individual coin of our protocol 
has extra three items: a c , b c and t c . The total size of these items is 2\p\ + \q\. 
Especially, in the dispute condition, TTP is required to release TCer with the 
size of \p\ + |g|. 

6 Conclusions 

Electronic cash is considered to have a significant advantage over network credit 
card because the former can properly protect the buyer’s payment privacy. In 
the proposed paper, we have presented a general model in which two parties can 
fairly exchange the electronic cash and soft goods. Our new scheme is also the 
first one that can provide the untraceability property on fair payments. 

The future research is addressed here that we are planning to design the fair 
payment protocols with other payment tools, such as the electronic check and the 
divisible electronic cash. The privacy property, for which we have constructed a 
generic model, is a critical issue on the design of our future work. 
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Abstract. We introduce a new cryptographic tool: multiset hash func- 
tions. Unlike standard hash functions which take strings as input, mul- 
tiset hash functions operate on multisets (or sets). They map multisets 
of arbitrary finite size to strings (hashes) of fixed length. They are incre- 
mental in that, when new members are added to the multiset, the hash 
can be updated in time proportional to the change. The functions may 
be multiset-collision resistant in that it is difficult to find two multisets 
which produce the same hash, or just set-collision resistant in that it is 
difficult to find a set and a multiset which produce the same hash. 

We demonstrate how set-collision resistant multiset hash functions make 
an existing offline memory integrity checker secure against active ad- 
versaries. We improve on this checker such that it can use smaller time 
stamps without increasing the frequency of checks. The improved checker 
uses multiset-collision resistant multiset hash functions. 

Keywords: multiset hash functions, set-collision resistance, multiset- 
collision resistance, incremental cryptography, memory integrity checking 


1 Introduction 

Standard hash functions, such as SHA-1 [11] and MD5 [12], map strings of 
arbitrary finite length to strings (hashes) of a fixed length. They are collision- 
resistant in that it is difficult to find different input strings which produce the 
same hash. Incremental hash functions, described in [2], have the additional 
property that, given changes to the input string, the computation to update 
the hashes is proportional to the amount of change in the input string. For a 
small change, incremental hashes can be quickly updated, and do not need to 
be recalculated over the entire new input. 

Multiset hash functions are a novel cryptographic tool, for which the order- 
ing of the inputs is not important. They map multisets of arbitrary finite size 
to hashes of fixed length. They are incremental in that, when new members 
are added to the multiset, the hash can be quickly updated. Because multiset 
* Note: authors are listed alphabetically. 
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lands. 
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hash functions work on multisets, we introduce definitions for multiset-collision 
resistance and set-collision resistance. 

In particular, we introduce four multiset hash functions, each with its own 
advantages. MSet-XOR-Hash uses the XOR operation and is very efficient; how- 
ever, it uses a secret key and is only set-collision resistant. MSet-Add-Hash 
uses addition modulo a large integer and, thus, is slightly less efficient than 
MSet-XOR-Hash; MSet-Add-Hash also uses a secret key but it is multiset-collision 
resistant. MSet-Mu-Hash uses finite field arithmetic and is not as efficient as 
the other two hash functions; however, MSet-Mu-Hash is multiset-collision re- 
sistant, and unlike the other two hash functions, does not require a secret key. 
MSet-VAdd-Hash is more efficient than MSet-Mu-Hash; it is also multiset-collision 
resistant, and does not use a secret key, but the hashes it produces are signifi- 
cantly longer than the hashes of the other functions. 

The proven security of MSet-XOR-Hash and MSet-Add-Hash is quantitative. 
We reduce the hardness of finding collisions to the hardness of breaking the 
underlying pseudorandom functions. The proven security of MSet-Mu-Hash is in 
the random oracle model and is based on the hardness of the discrete logarithm 
problem. The proven security of MSet-VAdd-Hash is also in the random oracle 
model and is based on the hardness of the worst-case shortest vector problem. 

We demonstrate how multiset hash functions enable secure offline integrity 
checkers for untrusted memory. Checking the integrity of memory is important 
in building secure processors which can facilitate software licensing and Digital 
Rights Management (DRM) [13,14]. 

The paper is organized as follows. Section 2 describes related work and sum- 
marizes our contributions. Multiset hash functions are defined in Section 3. 
MSet-XOR-Hash and MSet-Add-Hash are described in Section 4; MSet-Mu-Hash 
and MSet-VAdd-Hash are described in Section 5. Our application of multiset 
hash functions to checking the integrity of memory is detailed in Section 6. Sec- 
tion 7 concludes the paper. Appendices A, B, C, and D prove the security of our 
multiset hash functions. Appendix E proves the security of our memory integrity 
checker. 

2 Related Work and Our Contributions 

The main contribution of our work is the introduction of multiset hash functions 
together with the definition of multiset and set collision resistance. The second 
contribution is the development of a general theory leading to Theorem 1 from 
which we derive set-collision resistance for MSet-XOR-Hash, a multiset hash based 
on the XOR operation (addition modulo 2), and multiset-collision resistance for 
MSet-Add-Hash, a multiset hash based on addition modulo a large integer. The 
theory generalizes the results in [3], where an XOR-based scheme is used for 
message authentication. Our theory holds for addition modulo any integer. 

Both MSet-XOR-Hash and MSet-Add-Hash use a secret key. The third contri- 
bution is Theorem 2 that proves multiset-collision resistance for MSet-Mu-Hash, 
a multiset hash function based on multiplication in a finite field; MSet-Mu-Hash 
does not use a secret key. The proof’s basic line of thought is from [4] which 
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develops message hashing based on multiplication in a finite field. The fourth 
contribution, leading to MSet-VAdd-Hash, is Theorem 3 proving that we may re- 
place multiplication in the finite field by vector addition modulo a large integer. 
In [4], a similar theorem is used for message hashing. Our theorem (and their 
theorem) follows directly from application of Ajtai’s theorem [1,8]. 

Our final significant contribution is that we introduce an offline checker that 
is cryptographically secure against active adversaries, and which improves on 
the performance of the original offline checker in [6]. 

3 Multiset Hash Functions 

This section describes multiset hash functions. We first introduce multisets. We 
refer to a multiset as a finite unordered group of elements where an element can 
occur as a member more than once. All sets are multisets, but a multiset is not 
a set if an element appears more than once. Let M be a multiset of elements of 
a countable set B. The number of times b e B is in the multiset M is denoted 
by Mb and is called the multiplicity of b in M. The sum of all the multiplicities 
of M is called the cardinality of M. Multiset union combines two multisets into 
a multiset in which elements appear with a multiplicity that is the sum of their 
multiplicities in the initial multisets. We denote multiset union by U and assume 
that the context in which U is used makes clear to the reader whether we mean 
set union or multiset union. 

Definition 1. Let (%,+«,=«) be a triple of probabilistic polynomial time (ppt) 
algorithms. That triple is a multiset hash function if it satisfies: 

compression: B maps multisets of B into elements of a set with cardinality 
ps 2 m , where m is some integer. Compression guarantees that we can store 
hashes in a small bounded amount of memory. 
comparability: Since B can be a probabilistic algorithm, a multiset need not 
always hash to the same value. Therefore we need =u to compare hashes. 
The following relation must hold for comparison to be possible: 

B(M) = n B(M) 


for all multisets M of B. 

incrementality: We would like to be able to efficiently compute B(M U M') 
knowing B(M) and B(M'). The +n operator makes that possible: 

B{M U M') mu H{M) + n U(M') 

for all multisets M and M' of B. In particular, knowing only B(M) and an 
element b e B, we can easily compute B{M U {6}) = B(M) +- H B({b}). 

As it is, this definition is not very useful, because H could be any constant 
function. We need to add some kind of collision resistance to have a useful hash 
function. A collision for M' is a multiset M M' such that B(M) =u B(M'). 
A multiset hash function is (multi) set- collision resistant if it is computationally 
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infeasible to find a (multi) set S of B and a multiset M of B such that the 
cardinalities of S and M are of polynomial size in m, S ^ M, and H{S) =u 
H(M). The following definition makes this notion formal. 

Definition 2. Let a family T of multiset hash functions (' Hk,+Hki=Hk ) 
indexed by a key (seed) K e 1C. For Hx in P, we denote by mx the logarithm 
of the cardinality of the set into which Hx maps multisets of B, that is mx is 
the number of output bits of Hx- We define IC m as the set of keys K e K, for 
which mx > m. By A(Hx) we denote a probabilistic polynomial time (in mx) 
algorithm with oracle access to (Hx,+Hki=Uk)- 

The family T satisfies (multi)set-collision resistance if for all ppt algorithms 
A(.), any number c, and m large enough (with respect to c) 1 , 

Prob < S is a (multi) set and M is a multiset of B 
[ such that S ^ M and Hx(S) =u K 'H-k(M) 

Note that because A(Hx) is polynomial in mx , we will consider that it 
can only output polynomial sized S and M. We are disallowing compact repre- 
sentations for multisets that would allow A(.) to express larger multisets (such 
compact representations do not lead to a feasible attack in our offline memory 
integrity application). 

4 Additive Multiset Hash 

In this section we give an example of a construction of (multi) set-collision resis- 
tant multiset hash functions. Let B = {0, l} m represent the set of bit vectors 
of length to and let M be a multiset of elements of B. Recall that the number 
of times b £ B is in the multiset M is denoted by M h and is called the mul- 
tiplicity of b in M. Let Hx : (0, l} m+1 — >• 7Z l n be randomly selected from a 
pseudorandom family of hash functions [9]. Let 

L^n 1 &2 m ,L<n l ,L<2 m , 



and define 

H K {M) = H k ( 0, r) + ^ M b H K ( 1, b ) mod n ; ^ M b mod L- r 

L b£B beB 

where r € B is a random nonce 2 . Notice that the logarithm of the cardinality 
mx of the set into which Hx maps multisets of B is equal to 

m K = log (n l ) + log (L) + log(2 m ) « 3 to. 

1 The probability is taken over a random selection of K in K m (denoted by K <— ICm) 
and over the randomness used in the ppt algorithm A(Hk) (denoted by ( S , M) <— 

A(Hk)). 

2 Note, the set from which r is taken could be smaller than B. 
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We say two triples [h, c, r\ and [ h ', c', r'] are equivalent, [h; c; r] =u K c 7 ; r'], 
if and only if h—H K { 0, r) = h' —H K { 0, r') modulo n and c = d modulo L. Notice 
that checking whether Hk(M) =h k 'H-k(M') is efficient. We define addition of 
two triples [h: c; r] +u K W : c ' : r '\ by the result of the computation 

[H K (0,r")+h-H K (0,r) + ti -H K (0,r') modn; c+c' mod L ; 

Clearly, Hk{M U M') =u k Uk(M) +h k Uk(M'), hence, (% k ,+h K i=Hk) H 
a multiset hash. The proof of the next theorem is in Appendix A. 

Theorem 1. It is computationally infeasible to find a multiset M with multi- 
plicities < n and a multiset M' such that the cardinalities of M and M' are 
polynomial sized inm, M ^ M' , and Hk(M) =u k 

As an example we consider n = 2 and l = m. Then the condition that a 
multiset M has multiplicities < 2 simply means that M is a set. This leads to 
set-collision resistance. Furthermore notice that addition modulo 2 defines xor ®. 

Corollary 1. (MSet-XOR-Hash) The multiset hash corresponding to 


H k (M)= //A-(0,r)8®.'/|,//K(li) ; Y, Ml > m °d2 m ; r 

L beB beB 

where H K :{0,l}xB-} .Zf™ is randomly selected from a pseudorandom family 
of hash functions, is set-collision resistant. 

Notice that Hk{M) keeps track of the cardinality of M. If this were not the 
case then Hk(S) and H k ( M j are equivalent for any S and M with Si, = M/ } 
modulo n = 2 for b € B. This would contradict set-collision resistance. Also 
notice that r <— B is randomly chosen. If r was a fixed known constant, then 
knowledge of n tuples [M* ; Hk{M 1 )] reveals n vectors 

beB 

If n = 2m then with high probability these n vectors span the vector space ZZ™ . 
This means that each vector in ZZ™ can be constructed as a linear combination 
of these n vectors [4]: 

0oi- (d& M b H K(l,b) \ = Q) (0)aiMl \ H K (l,b). 

4=1 \beB / beB \i=l / 

Hence, a polynomial sized collision can be constructed for any polynomial sized 
M. 

In Appendix B we show that for n exponentially large in m, we may remove 
the cardinality J2beB from the scheme altogether. By taking l = 1 and 
L = n = 2 m we obtain the next corollary. 
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Corollary 2. (MSet-Add-Hash) The multiset hash corresponding to 


H K {M)=\H K {Q,r) + Y, M bHKQ.,b) mod 2™ ; r 

L b&B 

where Hk '■ {0,l}xB-> 2Zyn is randomly selected from a pseudorandom family 
of hash functions, is multiset collision resistant. 

The main difference between the MSet-XOR-Hash and MSet-Add-Hash is bi- 
nary addition without and with carry respectively. This leads to either set col- 
lision resistance or multiset collision resistance. 

In Appendix B we show that it is possible to replace the random nonce r 
by a counter that gets incremented on each use of Hk- This removes the need 
for a random number generator from the scheme. Moreover, shorter values can 
be used for r as long as the key is changed when r overflows; this reduces the 
size of the hash. Also if the weighted sum of the hashes Hk (1, b ) in H k ( M ) is 
never revealed to the adversary then we can remove Hk( 0,r) from the scheme 
altogether. For example, in the case where the weighted sums are encrypted by 
using a pseudorandom family of permutations (see Corollary 4 in Appendix B). 



5 Multiplicative Multiset Hash 

A multiset-collision resistant multiplicative multiset hash can be defined as fol- 
lows. Let q be a large prime power and consider the computations in the field 
GF(q). Let H : B — » GF(q) be a poly-random function [9], that is, no polyno- 
mial time (in the logarithm of q) algorithm with oracle access H can distinguish 
between values of H and true random strings, even when the algorithm is per- 
mitted to select the arguments to H (in practice one would use MD5 [12] or 
SHA1 [11]). We define 

H(M) = Y[H(b) Mb , (1) 

beB 

= 7 | to be equal to =, and +n to be multiplication in GF(q). 

Clearly, (H, +n, =n) is a multiset hash. An advantage of the scheme is that 
we do not need a secret key. Unfortunately it relies on finite field arithmetic, 
which makes it too costly for some applications. 

The proof of the following theorem is given in Appendix C, where we also 
define the discrete log (DL) assumption which says that for random y e GF(q) 
and generator g e GF(q), it is computationally infeasible to find x such that 
g x = y (x is called the discrete log of y). 

Theorem 2. (MSet-Mu-Hash) Under the DL assumption, the family i of multi- 
set hash functions, (H, +«, =n), as definedin (1), is multiset collision resistant. 


The family is seeded by GF(q). 
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Under certain assumptions we may replace multiplication in GF(q) by ad- 
dition modulo a large number. Even though the number of output bits of the 
resulting multiset hash needs to be much larger (since it is based on ‘weaker’ 
assumptions), the overall solution becomes more efficient since no finite field 
arithmetic is needed. Let H : B — >• 2Z l n , n = 2'/™, l = \/m, be a poly-random 
function. Now, we define 

H(M) = M bH(b) mod n, (2) 

beB 

=u to be equal to =, and +u to be vector addition modulo n. See Appendix D 
for the proof of the next theorem and the definition of the worst-case shortest 
vector (SV) problem. 

Theorem 3. (MSet-VAdd-Hash) By assuming that the SV problem is infeasible 
to solve in polynomial time, the family 4 of multiset hash functions, (H, +«, =h)> 
as defined in (2), is multiset collision resistant. 

Remark. Because H can be evaluated with oracle access to H, Theorems 2 and 3 
still hold for a stronger form of multiset-collision resistance, in which it is com- 
putationally infeasible for an adversary with oracle access to H (instead of H) 
to find a collision. This is what allows to use a publicly available H. 

6 Integrity Checking of Random Access Memory 

We now show how our multiset hash functions can be used to build secure offline 
integrity checkers for memory. Section 6.1 explains the model, and Section 6.2 
shows our offline checker. Our implementation of this checker in the AEGIS 
secure processor [13] is described in [14,7]. 

6.1 Model 

Figure 1 illustrates the model we use. There is a checker that keeps and maintains 
some small, fixed-sized, trusted state. The untrusted RAM (main memory) is 
arbitrarily large. The finite state machine (FSM) generates loads and stores and 
the checker updates its trusted state on each FSM load or store to the untrusted 
RAM. The checker uses its trusted state to verify the integrity of the untrusted 
RAM. The trusted computing base (TCB) consists of the FSM, and the checker 
with its trusted state. For example, the FSM could be a processor. The checker 
would be special hardware that is added to the processor to detect tampering in 
the external memory. 

The checker checks if the untrusted RAM behaves correctly, i.e. like valid 
RAM. RAM behaves like valid RAM if the data value that the checker reads from 
a particular address is the same data value that the checker had most recently 

4 The family is seeded by 2Z l n . 
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FSM 






checker 




Fig. 1. Model 


written to that address. In our model, the untrusted RAM is assumed to be 
actively controlled by an adversary. The untrusted RAM may not behave like 
valid RAM if the RAM has malfunctioned because of errors, or if it has been 
somehow altered by the adversary. 

For this problem, a simple solution such as calculating a message authentica- 
tion code (MAC) of the data value and address, writing the (data value, MAC) 
pair to the address, and using the MAC to check the data value on each read, 
does not work. The approach does not prevent replay attacks: an adversary can 
replace the (data value, MAC) pair currently at an address with a different pair 
that was previously written to the address. The essence of an offline checker 
is that a “log” of the sequence of FSM operations is maintained in fixed-sized 
trusted state in the checker. 


6.2 Offline Checker 

Figure 2 shows the basic put and get operations that are used internally in the 
checker. Figure 3 shows the interface the FSM calls to use the offline checker to 
check the integrity of the memory. 

In Figure 2, the checker maintains two multiset hashes and a counter. In 
memory, each data value is accompanied by a time stamp. Each time the checker 
performs a put operation, it appends the current value of the counter (a time 
stamp) to the data value, and writes the (data value, time stamp) pair to mem- 
ory. When the checker performs a get operation, it reads the pair stored at 
an address, and, if necessary, updates the counter so that it is strictly greater 
than the time stamp that was read. The multiset hashes are updated (+«) with 
(a, v, t ) triples corresponding to the pairs written or read from memory. 

Figure 3 shows how the checker implements the store-load interface. To 
initialize the RAM, the checker puts an initial value to each address. When the 
FSM performs a store operation, the checker gets the original value at the 
address, then puts the new value to the address. When the FSM performs a 
load operation, the checker gets the original value at the address and returns 
this value to the FSM; it then puts the same value back to the address. To 
check the integrity of the RAM at the end of a sequence of FSM stores and 
loads, the checker gets the value at each address, then compares WriteHash 
and ReadHash. If WriteHash is equal to ReadHash, the checker concludes 
that the RAM has been behaving correctly. 
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The checker’s fixed-sized state is: 

— 2 multiset hashes: WriteHash and ReadHash. Initially both hashes are 0. 

- 1 counter: Timer. Initially Timer is 0. 

put(a,v) writes a value v to address a in memory: 

1. Let t be the current value of Timer. Write (v, t) to a in memory. 

2. Update WriteHash: WriteHash + u = hash (a, v, t). 

get (a) reads the value at address a in memory: 

1. Read ( v,t ) from a in memory. 

2. Update ReadHash: ReadHash + w = hash(a, v, /,). 

3. Timer = max(TiMER, t + 1). 


Fig. 2. put and get operations 


Because the checker checks that WriteHash is equal to ReadHash, sub- 
stitution (the RAM returns a value that is never written to it) and replay (the 
RAM returns a stale value instead of the one that is most recently written) at- 
tacks on the RAM are prevented. The purpose of the time stamps is to prevent 
reordering attacks in which RAM returns a value that has not yet been written 
so that it can subsequently return stale data. Suppose we consider the put and 
get operations that occur on a particular address as occurring on a timeline. 
Line 3 in the get operation ensures that, for each store and load operation, 
each write has a time stamp that is strictly greater than all of the time stamps 
previously read from memory. Therefore, the first time an adversary tampers 
with a particular (data value, time stamp) pair that is read from memory, there 
will not be an entry in the WriteHash matching the adversary’s entry in the 
ReadHash, and that entry will not be added to the WriteHash at a later 
time. 

The Timer is not solely under the control of the checker, and is a function 
of what is read from memory, which is untrusted. Therefore, the WriteHash 
cannot be guaranteed to be over a set. For example, for a sequence of store 
and load operations occurring on the same address, an adversary can decrease 
the time stamp that is stored in memory and have triples be added to the 
WriteHash multiple times. The ReadHash can also not be guaranteed to be 
over a set because the adversary controls the pairs that are read from memory. 
Thus, set-collision resistance is not sufficient, and we require multiset-collision 
resistant hash functions. 

The proof of the following theorem is in Appendix E. 

Theorem 4. Let W be the multiset of triples written to memory and let R be 
the multiset of triples read from memory. That is, W hashes to WriteHash and 
R hashes to ReadHash. Suppose the accesses to each address are an alternation 
of puts and gets. If the RAM does not behave like valid RAM, then W ^ R. 
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initialize() initializes RAM. 

1. put(o, 0) for each address a. 

stor e(a, v) stores v at address a. 

1. get (a). 

2. put(a, v). 

load(a) loads the data value at address a. 

1. v = get (a). Return v to the caller. 

2. put(o, v). 

check() checks if the RAM has behaved correctly (at the end of operation). 

1. get (a) for each address a. 

2. If WriteHash is equal to ReadHash, return true. 


Fig. 3. Offline integrity checking of random access memory 


The following corollary shows the hardness of breaking our offline memory 
integrity checking scheme. 

Corollary 3. Tampering with the RAM without being detected is as hard as 
finding a collision W ^ R for the multiset hash function. 

Offline memory integrity checking was introduced by Blum et al. [6] . However, 
the original offline checker in [6] differs from our checker in two respects. First, 
the original checker is implemented with e-biased hash functions [10] . These hash 
functions are set-collision resistant against random errors but not against a ma- 
licious adversary. Secondly, the Timer is incremented on each put operation 
and is not a function of what is read from memory. The Timer is solely under 
the control of the checker. This means that the pairs that are used to update 
WriteHash form a set. Therefore set-collision resistance is sufficient. The orig- 
inal offline checker can be made secure against active adversaries by using a 
set-collision resistant multiset hash function, instead of e-biased hash functions. 
Our offline checker improves on the original checker because Timer is not incre- 
mented on every load and store operation. Thus, time stamps can be smaller 
without increasing the frequency of checks, which improves the performance of 
the checker. 

7 Conclusion 

We have introduced incremental multiset hash functions which can be efficiently 
updated, and for which the ordering of inputs is not important. Table 1 sum- 
marizes our comparison of the multiset hash functions introduced in this paper. 
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Table 1. Comparison of the Multiset Hash Functions 





In the table, we indicate whether the security is based on pseudorandom family 
of hash functions (PRF), the random oracle model (RO), the discrete log as- 
sumption (DL), or/and the hardness of the worst case shortest vector problem 
(SV). If hashes are to be visible to the adversary (i.e., the adversary can see 
the hashes in the trusted state, but cannot modify them), we indicate whether 
a random nonce/counter (r), or encryption is necessary. We have improved the 
security and the performance of the offline memory integrity checker in [6] as 
one application of these functions. 
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A Proof of Collision Resistance of Additive Hash 

Let Q m be the family of matrices with 2 m+1 rows, l columns, and entries in 2Z n 
(recall fan 1 a 2 m ). Let H K be a random matrix in Q rn = {Hi,H 2 ,H 3 , . . .}. 
Notice that Hk is the A'-th matrix in Q m . We assume that this matrix, or 
equivalently its label K, is secret and only accessible by the secure processor. 
The family of matrices Q m from which H K is selected is publicly known. 

The rows of Hk axe labelled by x g {0, l} m+1 and denoted by Hk(x). This 
represents Hk as a function from x £ (0, l} m+1 to 2Z l n , the set of vectors with 
length l and entries in 7Z n . In practice, Hk is not a completely random matrix 
over 2Z n , but Hk is selected from a pseudorandom family of functions. We 
address this issue as soon as we are ready to formulate a proof of Theorem 1. 

The following theorem is about the probability that an adversary finds a 
collision for some multiset M' . The probability is taken over random matrices 
Hk in Q m (H K <- Q m ) and the randomness of the random nonce used in Hk- 

Theorem 5. Let M and M' be multisets of B. Let d be the greatest common 
divisor 5 of n and each of the differences \M b — M' b \, b £ B. Given knowledge of 
u tuples [Af ; Hk (M*)], the probability that M is a collision for M' is at most 
u 2 /2 m + (, d/n ) l . 

We first introduce some notation. Let v(r,M) be the vector of length 2 m ’P' 
defined by 

v(r, M)( 0 6 ) = 1 if and only if b = r 

and 

v{r,M) ( i ib) = M b . 

Let v(M ) be the vector of length 2 m+1 defined by u(M)( 0i t) = 0 and u(M)( ^ = 

M b . 

Lemma 1. (i) Knowing [M ; Hk{M)] is equivalent to knowing 
[v(r,M) ; v(r,M)H K mod n]. 

(ii) Hk(M) =u k if and only if v(M)H K = v(M')H K modulo n and 

T,beB M b = T,beB M b modulo L. 

Proof. Notice that v(r, M) encodes r, M, and, hence, the cardinality JZbeB Mb 
of M, and notice that 

H k (M) = v(r, M)H k mod n ; ^ M 6 mod L ; r 

V beB 

The lemma follows immediately from these observations. 

5 The greatest common divisor of 0 with a positive integer i is equal to i. 
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Suppose that an adversary learns u tuples [M l ; or, according to 

Lemma l.(i), u vectors v(r l ,M' 1 ) together with the corresponding v(r l ,M l )H K 
modulo n. Let A be the u x 2 m+1 matrix with rows u(r®, M l ). Then the matrix 
with rows v(r\ M l )H K is equal to AH K . Clearly, A modulo n has full rank over 
7Z n if all r l are different. The probability that there are two equal r*’s is at most 

n 2 / 2 ™. 

Lemma 2. The probability that the r l ’s corresponding to matrix A are all dif- 
ferent is at least 1 — u 2 /2 m . 

By Lemma 1 . (ii) , in order to find a collision for M', the adversary needs to 
find a multiset M ^ M' such that v(M)Hk = v(M')Hk modulo n and such 
that the cardinalities of M and M' are equal to one another modulo L. The next 
three lemmas show how difficult this is for the adversary if he is in the situation 
of the previous lemma. 

Lemma 3. Let M and M' be multisets of B. The probability that v(M)H K = 
v(M')Hk modulo n is statistically independent of the knowledge of a full rank 
matrix A over Z n corresponding to different r l ’s and the knowledge ofh= AHk 
modulo n. 

Proof. W.l.o.g. (after reordering the columns of A and the corresponding entries 
of v(M ) — v(M') and corresponding rows of Hk) matrix A has the form A = 
(I A 1 ), where I is the u x u identity matrix, and v(M) — v(M') has the form 
(0 v), where 0 is the all zero vector of length u. Denote the top u rows of Hk 
by H ( f and let Hf be such that 



Clearly, the equation h = AH K modulo n is equivalent to 

h = H° k + A 1 H)c mod n. (3) 

The equation 0 = ( v(M ) — v{M'))H K modulo n is equivalent to 

0 = vHk mod n. (4) 

Straightforward counting tells us that Pro6{(4)|(3)} is equal to the # of matrices 
Hk satisfying (4) divided by the total # of matrices Hf. This is in turn equal 
to the # of matrices H K satisfying (4) divided by the total # of matrices H K , 
which is Prob{(4)} . 


Lemma 4. Let M and M' be multisets of B. Let d be the greatest common divi- 
sor ofn and each of the differences \ Mb — M' h \, b e B. Then ( v(M ) — v{M'))H K 
modulo n is uniformly distributed in dffi l n . 
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Proof. To prove this lemma, we show that each entry of (v(M') — 
modulo n is uniformly distributed in <12Z n . Let y represent one of the columns 
of H k and define for 0 e 7Z n the set 

Cy = {y ■ ( v(M ) - v(M'))y = 0 mod n}. 

Since d divides each entry of v(M) — v(M'), it also divides the product (v(M) — 
v(M'))y, hence, Cy = 0 if 0 is not divisible by d. Since d is the greatest common 
divisor of n and each of the entries of v(M) — v(M'), there exists a vector y such 
that ( v(M ) — v(M'))y = d modulo n. This proves that Cy / 0 if and only if d 
divides 0. For a fixed column y’ £ Cy 0, the mapping y £ Cy — >■ y — y'mCo is a 
bijection. Hence, the non-empty sets Cy have equal cardinality. We conclude that 
each entry of ( v(M ) — v(M’))Hk modulo n is uniformly distributed in d.2Z n . 


Lemma 5. Let M and M ' be multisets of B. Let d be the greatest common 
divisor of n and each of the differences \ Mb — M’ b \, b £ B. Given knowledge of a 
full rank matrix A over 7Z n corresponding to different r l ’s and given knowledge 
of h = AHk modulo n, the probability that v(M)Hk = v(M')Hk modulo n is 
equal to ( d/n ) l . 

Proof. By Lemma 3, since matrix A corresponds to different r*’s and (v(M) — 
u(M , ))( 0 r i) = 0, the probability that the randomly chosen matrix H K satisfies 
0 = (v(M) — v(M'))H k modulo n is independent of the knowledge of h = AH k 
mod n. By Lemma 4, since H K is uniformly distributed, (v(M) — v(M'))H K 
is uniformly distributed in dZZ l n . Hence, the probability that 0 = (v(M) — 
v(M'))H k mod n is equal to one divided by the cardinality of d/Z l n , which 
is equal to (d/n) 1 . 

Combining Lemmas 2 and 5 proves Theorem 5. To prove Theorem 1 we need 
the following extra lemma. 

Lemma 6. Suppose that v(M) = v(M') modulo n, YlbeB Mb = YlbeB mod- 
ulo L, the cardinalities of M and M’ are < L, and that the multiplicities of M 
are < n. Then M = M' . 

Proof. If the cardinalities of M and M' are equal modulo L and < L then 

£m 6 = ]Tm'. (5) 

beB beB 

If all entries of v(M) are < n and v(M) = v(M') modulo n, then 

M b = Mb + 0b‘n, b € B, (6) 

for integers 0b > 0. Combining (5) and (6) proves 0b = 0, hence, all 0b = 0. 
We conclude that M = M' . 


Now we are ready to prove Theorem 1. 
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Proof. Let A(%k) be a probabilistic polynomial time (in uik ~ 3m) algorithm 
with oracle access to (Hk, +h k ,='H k )- Then A(Hk) can gain knowledge about 
at most a polynomial number u(m) tuples [AT ; Hk(M 1 )] (here u(.) denotes 
a polynomial). Furthermore, A(Hk) can search for a collision among at most 
a polynomial number t(m) of pairs ( M,M '), where M and M 1 are multisets, 
M ^ AT , and M has mult iplicities < n. According to Theorem 5, the probability 
that A(Hk) finds a collision is at most 

t(m)(u(m) 2 / 2 m + ( d/n ) l ). 

Since A(Hk ) can only compute polynomial sized multisets, the cardinality 
of the multisets M and AT are < L « 2 m . This allows us to apply Lemma 6 
and conclude that 0 ^ (v(M) — v(M')) modulo n. Hence, the greatest common 
divisor d of n and each of the differences \M h — M’ b |, b £ B, is at most n/2. This 
leads to 

(d/n) 1 < 2~ l . 

Let c > 0 be any number and suppose that 2~ l > m~ c , or equivalently, l < 
clog to. Notice that each of the differences \M b — M’ b \ is polynomial sized in to, 
hence, d is polynomial sized in to and there exists a number e > 0 such that 
d<m e for to large enough. This proves 

(d/n) 1 < m el /n l « m el /2 m < m ecl ° s m /2 m , 

which is at most m~ c for to large enough. We conclude that the probability that 
A(%k) finds a collision is at most m~ c for to large enough. This proves Theorem 
1 for random matrices Hk- 

Remark. The theorem also holds for a pseudorandom family of hash functions 
represented as matrices. Suppose that an adversary can compute a collision with 
a significant probability of success in the case where a pseudorandom family of 
hash functions is used. We have just shown that an adversary has a negligible 
probability of success in the case where random hash functions are used. Hence, 
with a significant probability of success he is able to distinguish between the 
use of pseudorandom hash functions and the use of random hash functions. This 
contradicts the definition of pseudorandomness, see [3] for a detailed proof of a 
similar result. 

B Variants of Additive Hash 

A few interesting variants of Hk exist. Suppose that v(M) = v(M') modulo n 
and that the multiplicities of M and M' are < n. Then clearly M = M'. Hence, 
we do not need Lemma 6 in the proof of Theorem 5. This means that the proof 
of Theorem 5 does not depend on the cardinalities of M and M' to be equal 
modulo L. We can remove the cardinality Y/beB Mb from the scheme altogether. 
For example, for n exponentially large, the cardinalities and in particular the 
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multiplicities of M and M' are < n. This proves Corollary 2. An other example 
is n = 2 and both M and M' are sets, which proves the main result of [3] . 

Secondly, it is possible to replace the random nonce r by a counter that 
gets incremented on each use of or by any other value that never repeats 
itself in polynomial time. This guarantees with probability 1 that the matrix A 
corresponds to different r” s (see Lemma 2). This removes the need for a random 
number generator from the scheme. Moreover, shorter values can be used for r 
as long as the key is changed when r overflows; this reduces the size of the hash. 

If u = 0 then the proof of Theorem 5 does not depend on matrix A and its 
corresponding r*’s. Similarly, if sums of hashes, 

H K {0,r) + Y, M b H K ( 1, b) mod n, 
fees 

are hidden from the adversary (he knows which multiset M is being hashed, but 
not the value of the sum of hashes) then we can remove Hk{ 0, r) from the scheme 
altogether. As the following corollary shows, complete hiding is not necessary. 
We can use a pseudorandom permutation to hide sums of hashes. 

Corollary 4. (Permuted-MSet-XOR-Hash) The multiset hash corresponding to 

Uk,k'{M)= \p k > ®MA(l.i) ; Y M » mod2m 

L \beB ) b&B 

where Hk :{0,1}xB^ ZZ™ and Pk> are randomly selected from a pseudoran- 
dom family of hash functions and permutations, is set-collision resistant. 
(Permuted-MSet-Add-Hash) The multiset hash corresponding to 

Uk,k>(M) =Pk'[Y M bHx(h b) mod 2™ 

VbeB 

where H K : {0,l}xB^ ZZ^™. and Pk' are randomly selected from a pseudoran- 
dom family of hash functions and permutations, is multiset- collision resistant. 

Notice that the multiset hashes are incremental because Pk> is a permutation 
and, hence, invertible. 

Proof. We first consider a random function P K '- Suppose that the adversary 
learns u tuples [M* ; As in Lemma 2, the probability that two 

permuted sums of hashes in the u tuples are equal is at most u 2 / 2 m . If all of 
them are unequal to one another then matrix AHk (defined without the part 
corresponding to the random nonce) is uniformly distributed and not known 
to the adversary (since Pk 1 is a random function). Hence, the probability that 
v(M)H k = v{M')H k modulo n is statistically independent of the knowledge of 
the adversary. This can be used instead of Lemma 5 to prove Theorems 5 and 1. 
This result also holds for a pseudorandom family of permutations Pk> , see the 
remark at the end of the proof of Theorem 1 in Appendix A. 
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C Proof of Collision Resistance of Multiplicative Hash 


In the following lemma ,4(.) is a probabilistic polynomial time (in log q) algo- 
rithm which outputs weights 6 wi,...,w u £ "ZZq-y for a polynomial number of 
random inputs xi,...,x u £ GF(q ) such that 1 = fX t x i'' with probability at 
least p. We show that if such an algorithm exists then we can break the DL 
problem in GF(q) in polynomial time with probability at least p. 


Lemma 7. Let -A(.) be a ppt algorithm such that there exists a number c such 
that for u < (logg) c , 


Prob 


( Xi <- GF(q))? =1 , ( Wi £ «- A(x u . 

1 = ^i w i 7 ^ 0, < (logg) c 


> p- 


(7) 


Let g be a generator of GF(q) . Then there exists a probabilistic polynomial time 
(in log q) algorithm A'{.) suc h that 


Prob{y <- GF(q),x <— A'(y) :y = g x }> p/(\ogq) c . 


In words, given a random y £ GF(q), we are able to find the discrete log of y in 
GF(q) with probability at least p/(logq) c . 

Proof. Let y <— GF(q). Select a polynomial number u of random elements 
ri, . . . ,r u in 2Z q _ \ and j €{!,...,«} and compute 


Xj = yg rj and x, = g Ti for i ^ j. 


Compute (wi, . . . , w u ) <— A(x i, . . . , x u ). Since by construction the XjS have been 
chosen uniformly at random, we know that with probability at least p the weights 
wi,...,w u £ 2Z q _ i are computed such that they are not all equal to zero, 
K| < (log q) c , and 

1 = II x i‘ = V m3 9^ ,i nWi ■ ( 8 ) 


Since the 
least 


inputs are in random order, the probability that 
l/u > (log q)~ c . 


/ 0 is at 


Suppose that Wj / 0. Let d be the greatest common divisor between w 3 and 
q— 1. Then 7 Wj/d is invertible in 7Z q _ By using the Chinese remainder theorem 
(assuming that we know the factorization of q — 1), we are able to compute the 
inverse of Wj/d in ZZ, q _ \ in polynomial time. Denote this inverse by wb. From 
(8) we infer that 

y d = g- w '^ w L 

6 Not all equal to zero and each of them bounded by a polynomial number. 

7 Division / denotes division over integers, not over 2Z q - 1 (since d has no inverse in 
ZZ q - 1, we can not divide Wj by d in Zd q -\). 
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Notice that if y d = g s and y = g*, then g dt = g s , that is dt = s modulo q — 1. 
Recall that d divides q— 1. For this reason d must also divide s. Let d! = (q— 1 )/d 
and s' = s/d. Both can be computed in polynomial time as we have shown. Now 
y can be expressed as one of the roots 


where 0 < j < d- 1 . Since d < |tUj| < (log q) c , each of the roots can be checked 
in polynomial time. This proves the lemma. 

The DL assumption states that for all ppt algorithms M(.), any number c, 
and Q large enough, 

p ,( Q> Q is a prime power, g generates GF(q), 
r ° \y GF(q),x <- A(q,y) 

We are ready to prove Theorem 2. 

Proof. Suppose that there exists a number c and a probabilistic polynomial 
time algorithm B(H), which runs in time u = (log q) c , with access to a random 
oracle H which outputs with probability p> 1/tia collision M for M' . That is, 
M ^ M ' , M and M' are polynomial sized < u, and 

H(M) - J] H(b) M > = [J H{b)< = U{M'). 

beB beB 

This means that 

i = n H{b) Mb ~ M \ 

beB 

there is a polynomial number Mfs and M^’s unequal to zero, for all b € B the 
absolute value \M b — M' b \ < u is polynomial sized, and there exists a b £ B such 
that M b — M' b ^ 0. 

Let C be an algorithm that goes from GF(q) u to B —> GF(q), where B — > 
GF(q ) denotes the set of oracles with inputs in B and outputs in GF(q). C is 
chosen such that C(x i, . . . , x u ) returns x\ when it is called for the first time on 
some input t/i, x -2 when it is called for the first time on some input y -2 different 
from 2 / 1 , and so on. 

When xi,..., x u are chosen randomly, C(x -[ , . . . , x u ) cannot be distinguished 
from a random oracle by B because B cannot query C more than u times. There- 
fore, if we let A be the composition of B and C. A is able to find a collision for 
% with probability p when its inputs are chosen uniformly at random. More- 
over, A is a ppt algorithm satisfying (7), so by Lemma 7, A can break the 
discrete log problem in GF(q) in polynomial time with probability at least 
p/(log q) c > (log q)~' lc ■ This contradicts the DL assumption. So B does not 
exist, which proves multiset-collision resistance. 

Because oracle access to H is stronger than oracle access to H, this proves 
Theorem 2 when H is a random oracle. The result carries over to poly-random 
functions because they are indistinguishable from random functions by ppt al- 
gorithms. 


= 9 X \ < (log q) c . 
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Remark. Supposing that H is a random oracle is a strong assumption. Compared 
to the MSet-XOR-Hash and MSet-Add-Hash we do not need a secret key (as the 
seed of a pseudorandom family of hash functions) at all. We refer to [5] for a 
discussion into what extent the random oracle assumption can be met in practice. 


D Proof of Collision Resistance of Vector Additive Hash 


If r is a fixed constant in the MSet-Add-Hash, then we are again vulnerable 
for the attack described for the MSet-XOR-Hash, where r is a fixed constant. 
The main difference is that the attack is not modulo n = 2 but modulo n = 
2 m . This means that the linear combination may lead to a collision with large 
multiplicities. This would give a non-polynomial sized collision and does not 
defeat the multiset collision resistance. It turns out that this problem is related 
to a weighted knapsack problem (see also [4]). In this sense MSet-Add-Hash 
remains multiset collision resistant, even if the pseudorandom family of hash 
functions H K is replaced by a single random function avoiding the use of a 
secret key as in MSet-Mu-Hash. 

The weighted knapsack (WK) assumption is defined as follows. For all ppt 
algorithms A(.'), any number c, q large enough, and u < (log q) c , 


^ | ( x i 1> ( w i € ZZq)i=i 


mod q , 


< (k) g <z) c } - (log<?) 


Notice the resemblance with (7), where multiplication in GF(q) is now replaced 
by addition modulo q (where q can be any integer and does not need to be a prime 
power). It remains unclear to what extent Ajtai’s work [1] relates this problem to 
the worst-case shortest vector problem. It is an open problem whether to believe 
in the WK assumption. 

Let H : B — > 7Z q be a poly-random function. We define 


H(M) = ^M b H(b) mod q, (9) 

beB 


=n to be equal to =, and +u to be addition modulo q (q plays the role of 2 m 
in MSet-Add-Hash). The proof of the next theorem is similar to the proof of 
Theorem 2 in Appendix C. 


Theorem 6. Under the WK assumption, {'H f +u,=u) as defined in (9) is mul- 
tiset collision resistant. 


For completeness, we introduce a multiset hash corresponding to parameters 
n = 2 'A" an d l = y/m (see Section 4). Let H : B -» 2Z l n be a poly-random 
function. Now, we define 

= mod n, 

beB 
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=n to be equal to =, and +u to be vector addition modulo n. Theorem 6 holds 
again if we modify the WK assumption by replacing a* <— 7 Z q by a, : 7 Z l n , 

Wi € 2 Z q by Wi € ZZ n , and q by n. The main difference is that the ay ’s are vectors 
of length l = a / to . According to [8, Sections 2.1 and 2.2] 8 , if there is a ppt solving 
the modified WK problem (that is it contradicts the modified WK assumption) 
then, by Ajtai’s theorem [1], there is a probabilistic polynomial (in l) algorithm 
which, for any lattice £ in IF/, given an arbitrary basis of £, approximates (up 
to a polynomial factor in l ) the length of the shortest vector in £. This proves 
Theorem 3 . The worst-case shortest vector problem is believed to be hard, see 
[8] for more discussion. 

E Proof of Improved Offline Checker 

In this appendix, we prove Theorem 4 . 

Proof. Suppose the RAM does not behave like valid RAM (i.e. the data value 
that the checker reads from an address is not the same data value that the 
checker had most recently written to that address) . We will prove that W / R. 

Consider the put and get operations that occur on an address as occurring 
on a timeline. To avoid confusion with the values of Timer, we express this 
timeline in terms of processor cycles. Let x\ be the cycle of the first incorrect 
get operation. Suppose the checker reads the pair (iq,fi) from address a at ay. 
If there does not exist a cycle at which the checker writes the pair (tq,fi) to 
address a, then W / R and we are done. 

Suppose there is a cycle X2 when the checker first writes (iq,ii) to address 
a. Because of line 3 in the get operation, the values of time stamps of all of the 
writes to a after x\ are strictly greater than t\. Because the time stamps at x\ 
and X2 are the same, and since put operations and get operations do not occur 
on the same cycle, X2 occurs before x\ (aq < aq). Let aq be the cycle of the first 
read from a after aq. Notice that x\ is a read after X2, so :t\ > aq. If x\ were 
equal to £3, then the data value most recently written to a, i.e. tq , would be read 
at xi. This contradicts the assumption that aq is an incorrect read. Therefore, 
X\ > x 3 . 

Because the read at cycle aq is the first incorrect read, the read at cycle .aq 
is a correct read. So the read at aq reads the same pair that was written at aq. 
Again, because of line 3 in the get operation, the values of time stamps of all 
the writes to a after aq are strictly greater than t\. Therefore, (tq,ti) cannot 
be written after aq. Because aq is the first cycle on which (iq,ti) is written to 
a, cannot be written before aq. Because a; 3 is the first read from a after 

aq, and two writes to an address always have a read from that address between 
them, (iq,ti) cannot be written between a- 2 and aq . Therefore, the pair ('tq, t\) 
is written only once, but it is read at x\ and a 3. Therefore, W / R. 


8 Notice that the matrix with columns Xi is in and that the vector with entries 

Wi is unequal to zero and has Euclidean norm polynomial in l =s s/m. 
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Abstract. We present two new parallel algorithms for extending the 
domain of a UOWHF. The first algorithm is complete binary tree based 
construction and has less key length expansion than Sarkar’s construc- 
tion which is the previously best known complete binary tree based con- 
struction. But only disadvantage is that here we need more key length 
expansion than that of Shoup’s sequential algorithm. But it is not too 
large as in all practical situations we need just two more masks than 
Shoup’s. Our second algorithm is based on non-complete Z-ary tree and 
has the same optimal key length expansion as Shoup’s which has the 
most efficient key length expansion known so far. Using the recent result 
[9], we can also prove that the key length expansion of this algorithm 
and Shoup’s sequential algorithm are the minimum possible for any al- 
gorithms in a large class of “natural” domain extending algorithms. But 
its parallelizability performance is less efficient than complete tree based 
constructions. However if Z is getting larger, then the parallelizability of 
the construction is also getting near to that of complete tree based con- 
structions. We also give a sufficient condition for valid domain extension 
in sequential domain extension. 

Keywords: UOWHF, hash function, masking assignment, sequential 
construciton, parallel construction, tree based construction. 

1 Introduction 

Naor and Yung [7] introduced the notion of universal one-way hash function 
(UOWHF) to prove that secure digital signatures can be based on any 1-1 one- 
way function. A UOWHF is a family of functions {hk}keK for which the following 
task of the adversary is computationally infeasible. The adversary has to choose 
a x from the domain, and then given a random k £ 1C, he has to find a y such 
that x ^ y but hk(x) = hk(y)- Intuitively, a UOWHF is a weaker primitive than 
a collision resistant hash function (CRHF), since the task of the adversary is 
more difficult, i.e., the adversary has to commit to the string x before knowing 
the actual hash function hk for which the collision has to be found. Furthermore, 

C.S. Laih (Ed.): ASIACRYPT 2003, LNCS 2894, pp. 208-227, 2003. 
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Simon [11] had shown that there is an oracle relative to which UOWHFs exist 
but not CRHFs. 

A UOWHF is an attractive alternative to a CRHF because it seems that 
building an efficient and secure UOWHF is easier than building an efficient and 
secure CRHF, and in many applications, most importantly for building digital 
signature schemes, a UOWHF is sufficient. In addition, as mentioned in [1], the 
birthday attack does not apply to UOWHFs. Hence the size of the message digest 
can be significantly shorter. 

A reasonable approach to designing a UOWHF that hashes messages of ar- 
bitrary and variable length is to first design a compression function, that is, a 
UOWHF that hashes fixed- length messages, and then design a method for com- 
posing these compression functions so as to hash arbitrary and variable messages. 
The present paper deals with the second problem, that of composing compression 
functions. We will call the composite method construction or domain extender 
for the most part in this paper. The main technical problem in designing such 
domain extender is to keep the key length of the domain extender from getting 
too large. 

The rest of this paper is organized as follows. Motivation and our contribu- 
tions are given in Section 2. Some detailed history of UOWHF is also provided in 
Section 2 in order to precisely explain our contributions. Preliminaries are given 
in Section 3. We will generalize Shoup’s sequential construction in Section 4. 
In this section we also provide a sufficient condition for valid sequential domain 
extension. Then we will present our new complete binary tree based parallel 
domain extender and will give a proof of validness of the extension in Section 
5. we will present our second new parallel domain extender which is based on 
non-complete /-ary tree and the proof of security in Section 6. In Section 7, we 
specifically compare the known constructions with our two constructions. This 
paper concludes with Section 8. 


2 Motivation and Our Contribution 

Most practical signature schemes follow “hash-and-sign” paradigm. They take a 
message M of an arbitrary length and hash it to obtain a constant length string, 
which is then fed into a signing algorithm. Many schemes use CRHFs to hash 
a message x, but as it was first pointed out in [1] a UOWHF suffices for that 
purpose. Indeed, if {hk}ke K. is a UOWHF, then to sign a message x, the signer 
chooses a random key k, and produces the signature (k, a(k, hk(x))), where a is 
the underlying signing function for short messages. 

Note that the key length varies with the length of input message for 
UOWHFs. Therefore, in many cases, the size of (k,hk(x)) can be larger than 
the input size of a. However, in these cases, we can solve the problem by apply- 
ing the signing algorithm a to (h,K'(k),hk(x)), where K' is part of the signer’s 
public key. Here the signature becomes (k,a(h K >(k),hk(x))). And note that the 
function hx 1 can be replaced by any second-preimage resistant function, because 
its input is random and chosen by the signer. Since messages can be very long, 
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hashing speed is a crucial factor. On the other hand, a closer look at the signature 
scheme reveals that the key k must be part of the signature so the receiver can 
recompute the hash. Therefore the shorter the key better the signature scheme. 

These facts lead us to think we should consider two aspects. 

1. Minimizing the key length expansion: This is certainly a very important 
aspect of any domain extending algorithm. 

2. Parallel implementation: From an implementation point of view paralleliz- 
ability is also an important aspect of any domain extending algorithm. 

Bellare and Rogaway [1] suggested the XOR tree hash (XTH) construction in 
order to reduce the key length expansion. Since XTH is based on the complete 
(or full) /-ary tree(Z > 2), it has also an efficiency regarding the parallelizabil- 
ity (the processing speed). XTH had been the most efficient construction not 
only regarding the key length expansion but also regarding the parallelizabil- 
ity before Shoup’s construction was presented in [10]. Shoup’s construction is 
more efficient than XTH with regard to the key length expansion. Furthermore, 
Mironov [4] had shown that the key length expansion needed in Shoup’s con- 
struction is the minimum possible for any sequential algorithm. In other words, 
there is no sequential algorithm which has more efficient key length expansion 
than Shoup’s. But his construction is not more efficient than XTH with regard 
to the parallelizability since it is based on the uniary tree. In the following, ‘B 
< A’ means that A is more efficient than B regarding the key length expansion 
or parallelizability. 

Key length expansion: XTH < Shoup 

Parallelizability: Shoup < XTH 

Sarkar’s work [8] was an attempt to propose a parallel algorithm which has the 
following properties: 

— The algorithm’s key length expansion is as good as possible. 

— The algorithm’s par alleliz able efficiency is the same as XTH. 

Therefore, he also chose the complete tree to obtain the same parallelizable 
performance as XTH and chose binary structure to adopt both of the mask 
assignment methods of Shoup’s and XTH algorithm so that the key length ex- 
pansion can be reduced as much as possible. As a result, Sarkar’s construction 
has the same parallalizable performance as XTH. However, his construction does 
not have the same key length expansion as Shoup’s one. 

Key.feSph expansion: X/JIH < 

Parallelizability: Shoup < XTH = Sarkar 

In this paper we will first present a tree based domain extension whose key 
length expansion is significantly less than Sarkar’s construction. Furthermore, 
its parallelizable efficiency is the same as Sarkar’s since it is also based on the 
complete binary tree. It will be called Improved Binary Tree based Construction 
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(IBTC). In fact, we have got a lot of evidences in [6] that IBTC will be optimal 
in the class of complete binary tree based algorithm. But only disadvantage is 
that here we need more masks (part of the key) than sequential construction. 
But it is not too large as in all practical situations we need just two more masks 
than Shoup’s construction. 

However, note that all the previously proposed parallel algorithms, including 
our first new construction, took more key length expansion than that of Shoup’s 
sequential algorithm. So an important question is whether this is true in general 
of any parallel algorithm. Our second new construction shows that this is not 
the case. 

The following is our motivation to design the second new parallel algorithm. 
At the present stage, it seems that the parallel constructions based on the com- 
plete Z- ary tree have the most efficient parallelizability. But we think it is difficult 
to construct the parallel domain extender which has the same key length expan- 
sion as Shoup’s sequential domain extender if we can only use the complete Z- ary 
tree. Therefore, we decide to take somewhat different approach as follows with- 
out the assumption that we can use only the complete Z- ary tree: In contrast 
to [8] and our first construction, this work is an attempt to propose a parallel 
algorithm which has the following properties: 

— The algorithm has the same key length expansion as Shoup’s. 

— The algorithm’s par alleliz able efficiency is as good as possible. 

As a result, the second new construction has the same key length expansion 
as Shoup’s one. But the construction does not have the same parallalizable 
performance with our first new construction. The construction will be called 
Z-DIMensional construction (/-DIM, l > 2). 


Key length expansion: XTH < Sarkar < IBTC < Shoup = /-DIM 

Parallelizability: Shoup < Z- DIM < XTH = Sarkar = IBTC 


The results may be summarized as shown in Table 1 (Here, ‘seq’ means ‘se- 
quential’ and ‘par’ means ‘parallel’). A more detailed comparison is presented in 
Table 2 in Section 7. 


Table 1. Comparison of domain extenders for UOWHF 


Method 

Used Tree 

Ranking of 
Key expansion 

Ranking of 
Parallelizability 

Seq 

/Par 

BLH [1] 

Unary 

7 

3 

seq 

XLH [1] 

Unary 

6 

3 

seq 

Shoup [10] 

Unary 

1 

3 

seq 

BTH [1] 

Complete l - ary (/ > 2) 

5 

1 

par 

XTH [1] 

Complete /-ary (Z > 2) 

4 

1 

par 

Sarkar [8] 

Complete Binary 

3 

1 

par 

IBTC (this paper) 

Complete Binary 

2 

1 

par 

Z-DIM(this paper) 

Non-Complete Z-ary (/ > 2) 

1 

2 

par 
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We think it is difficult to say that which one is more important than the other 
between the key length expansion and the parallel implementation. Of course, 
it would be very nice to have a regular parallel structure something like the 
complete tree which also minimizes the key length expansion. But at this point, 
we do not have any such algorithm and IBTC is the best known construction 
among the complete binary tree based constructions. Hence, in our opinion, we 
should separately consider both the above-mentioned two points of view with 
the same importance. And the present works are important in regarding the 
former and the latter point of views, respectively. Particularly, the /-DIM and 
Shoup’s one are the only two known algorithms which minimize the key length 
expansion. In addition that, the reason why the /-DIM has more meaning is that 
it is a parallel algorithm which has the same key length expansion as Shoup’s 
sequential algorithm and this is the very first trial in designing the parallel 
algorithms. 

Using the recent result [9], we can also prove that the key length expansion 
of our new parallel construction and Shoup’s sequential construction are the 
minimum possible for any constructions in a large class of “natural” domain 
extenders including all the previously proposed methods. 

We also give a sufficient condition for valid domain extension for sequential 
construction and it is likely that the condition is necessary. So, that will char- 
acterize the valid domain extension for sequential construction. In [6] M. Nandi 
has also shown that the same condition becomes sufficient for general tree based 
domain extension. 

Related Work: Note that all of the above described parallel constructions are 
based on the assumption that the number of processors grows with the length 
of the message. In [9], Sarkar has first suggested a parallel domain extending 
algorithm which can be implemented with finitely many processors. But it does 
not have the same key length expansion as Shoup’s. Here, it should be noted that 
his work mainly focuses on the parallel implementation with finite processors, 
on the contrary, the present work focuses on the parallel implementation with 
optimal key length expansion. And it seems that using the technique of [9] , our 
new parallel constructions can be modified to the constructions which can work 
with finite processors. 


3 Preliminaries 

The following notations are used in this paper. 

1. [a, 6] = (a, a + 1, ..., b} where a and b are integers. 

2. Suppose A is a finite set. By a Gr A we mean that a is a uniform discrete 
random variable taking values from A. 

3. iaj(*) = j if 2 *| i and 2* +1 \i. 

4. For t > 1, log ™(t) means that the function log 2 applies to many times on t. 
I°g 2 (t) = to if log^(f) < 1 but log™ _1 (t) > 1. 
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5. In the complete binary tree based construction, T t = (V t . E t ) means the 
complete binary tree where V t = {1, 2, 2* — 1} is a node set and E t = {e, : 
2 < i < 2* — 1} is a directed edge set where e* = (i, |*/2J). Here e* = (v,w) 
denotes a directed edge, i.e., v is the initial node and w the terminal node. 
htt(i) = j means that 2 t-J < i < 2 t+1_J — 1. So, the root node has height 
t and all leaves have height 1. For any node i, define T t [i) by the complete 
binary sub-tree rooted at i. 

6. In the 4-dimensional construction, for integer t, g(t) = ( a,b,c,d ), where 
a = \t/ 4J + [ {(t mod 4) + 3)/4j, b = |_i/4j + [((t mod 4) + 2)/4j, c = 
|t/4j + [((f mod 4) + 1)/4J, and d = |_i/4j . Here t mod 4 = t— |_t/4jn. 

7. In the 4-dimensional construction let T t = (V t ,E t ) be a non-complete 4-ary 
tree, where V t = {1, 2..., 2*} and E t = {e* : 2 < i < 2*} where e, = (i, i — 1) 
for 2 < i < 2 a , e f = (i,i - 2“ ) for 2 a < i < 2 a+b , e t = (i,i - 2 a+b ) for 
2 a +b < j < 2«+ 6 + c ) and ej = (i,i— 2 a+b+c ) for 2 a+b+c <i <2*. Here a, b, c, 
and d are such that g(t) = (a, b, c, d). 

Let {hk}keic be a keyed family of hash functions, where each hk : {0, 1}" — >■ 
{0, 1} TO , n> m. Consider the following adversarial game. 

1. Adversary chooses an x £ {0, l} n . 

2. Adversary is given a k which is chosen uniformly at random from 1C. 

3. Adversary has to find x' such that i/i' but hk(x) = hk{x'). 

A strategy A for the adversary runs in two stages. In the first stage A guess , 
the adversary finds the x to which he has to commit in Step 1. It also pro- 
duces some auxiliary state information a. In the second stage A fin<:1 (fc, x, a), the 
adversary either finds a x' / x such that hk(x) = hi-J/x') or reports failure. 
Both A guess and x, a) are probabilistic algorithms. The success proba- 

bility of the strategy is measured over the random choices made by A guess and 
_4/ in d(fc; x, a) and the random choice of k in Step 2 of the game. 

We say that A is an (e, ?y)-strategy for {hkjkeic if the success probability 
of A is at least e and it invokes the hash function hk at most g times. In this 
case we say that the adversary has an (e, ^-strategy for {hkjkeic- Note that we 
do not include time as an explicit parameter though it would be easy to do so. 
Informally, we say that {hk}kei c is a UOWHF if the adversary has a negligible 
probability of success with respect to any probabilistic polynomial time strategy. 
Here, the security parameter is length of the message i.e., the length of the input. 

In this paper we are interested in extending the domain of a UOWHF. More 
specifically, given a UOWHF {hk}keic, hk : {0, 1}" — > {0, l} m , n > rn , we would 
like to construct another extended UOWHF {H p } pe -p with H p : {0, 1} jV — >■ 
{0, l} m , where n < N. 

We say that B is an (e, r/)-extended strategy for {H p } pe -p if the success prob- 
ability of B is at least e and it invokes the hash function hk at most g times. In 
this case we say that the adversary has an (e, ^-extended strategy for {H p } pe -p. 
Note that H p is built using hk and hence while studying strategies for H p we 
are interested in the number of invocations of the hash function hk- 

The correctness of our construction will essentially be a Turing reduction. We 
will show that if there is an (e, ^-extended strategy B for {H p } pe -p, then there 
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is an (s', ^-strategy A for {hkjketc, where s' is not significantly lesser than s 
and r)' is not much larger than p. This shows that if {hkjkeic is a UOWHF, then 
so is {H p } pe -p. In this case, we say that the domain extension is valid. 

The key length for the base hash family {h k }keic is |"log 2 |/C|"| ■ (in the other 
hand, the key length for the extended hash family {H p } pe -p is [log 2 |'P|]. Thus 
increasing the size of the input from n bits to N bits results in an increase of 
the key size by an amount [log 2 |'P|] — [l°g 2 |/C|] . From a practical point of view 
it is very important to minimize this increase in the key length. 

For the remainder of this paper we assume the following conventions. 

1- {hk}keic is always the base hash family, where K. = {0, 1} K and h k ■ 
{0, l} n — >• {0, l} m . In case of sequential construction n > rn, in case of 
full binary tree based construction n > 2m, and in case of 4-dimensional 
construction n > 4 to. 

2. We will construct {H p } pe -p,H p : {0, l} iY — > {0, l} m using the base hash 
family {/ifc}fee/C, where p = fc||/ii||/z 2 || • • • ||/q for some l and each /q is m-bit 
binary string called mask and \k\ = K. Here, in case of sequential algorithm 
N = n(r+l)— mr, incase of tree based construction IV = n(2 1 2 3 4 — 1 )— to( 2 4 — 2) 
and in case of 4-dimensional construction N = n2* — to (2* — 1). Let us define 
f. i[i,j] = m \\ . . . || fij, where 1 < i < j < l. We will use p\j] instead of p[l , j] 
for j > 1 and define /i [0] to be empty string. 

3. In sequential construction input of H p is written as y = ijq 1 1 yi | • • • \\y r 
where |yo| = n and |y,;| = n — rn for 1 < i < r. In case of tree based 
construction input of H p is written as x = x 1 1 1 • • • 1 1 X 2 * _ i where |a:,| = n — 2m 
for 1 < i < 2 t_1 and \xi\ = n for 2 t_1 < i < 2* — 1. In 4-dimensional 
construction input of H p is written as x = X\\\ ■ ■ ■ ||x 2 t where |a:,| = n — 4 to 
for 1 < i < 2 a , |a;i| = n — 3 to for 2“ < i < 2 a (2 b — 1), |ajj| = n — 2 to for 
2“(2 6 -l) < i < 2° +6 (2 c — 1), \xi\ = n—m for 2 a+6 (2°— 1) < i < 2 a+b+c (2 d -l) 
, and |a;j| = n for 2 a+b+c (2 d — 1) + 1 < * < 2*. Here a,b,c, and d are such 
that g(t) = (a, b, c, d). 

4. In tree based construction let i e V t and a; be a message of length N. 
We define x(i) = ar*| |iC 2 i| |^ 2 i-i-i | |^ 4 i| |^ 4 *+i 1 1 • • • he. concatenating all Xj in 
ascending order of j where j runs in T t [i], In other words the part of the 
message used in the complete binary sub-tree rooted at i. 

4 Sequential Construction 

The best known sequential algorithm is given by Shoup [10]. We will generalize 
the idea of the construction. We also give the sufficient condition for valid se- 
quential construction. Let ij) : [l,r] — ¥ [1,1] be any function called a masking 
assignment. Fix a masking assignment ip, H p (y), the extended hash function, 
is computed by the following algorithm. 

1. Input: y = y 0 |M| • • • \\Vr and p = A»i|/ij ||/i 2 || . . . Wfo. 

2. z 0 = h k (y 0 ). 

3. For 1 < i < r, define = Zj_i ® and Zi = h k {si\\yi). 

4. Output: z r . 
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We say that the sequential construction is based on the masking assignment xp. 
In Shoup’s algorithm xp = z/ 2 + 1 and 1 = 1 + |_log 2 rJ (in his paper i/ 2 is masking 
assignment but that makes no difference). We will write s(i, y, k, y), z(i, y, k, y) 
for Si and 2 , : respectively (in the algorithm with input (y, p), where p = k\\y). 
Now we will define some terms related with masking assignment and domain 
extension. 

Definition 1. We say that xp is correct if for all 1 < i < r, C £ {0, l} m , y £ 
{0, 1}^ and for any hash function h k there is an algorithm called Mdef seq (i, y, k, 
C,xp) which outputs y = yiWuzW ■■ -\\lH such that s(i,y,k,y) = C. Mdef seq (i,y, 
k, C, ip) is called a mask defining algorithm. A sequential construction based on a 
correct masking assignment is called a correct domain extension. A masking as- 
signment is totally correct if there is a mask defining algorithm Mdef seq (i, y, k, 
C,xp) = y = yiWy^W . . .\\yi for any i, y, k, C as above such that s(i, y, k,y) = C 
holds and y is a random string whenever C is a random string and other inputs 
are fixed. 

Definition 2. We say that a domain extension algorithm is valid if {H p } pe -p is 
a UOWHF whenever {hk}keic is a UOWHF. In case of sequential construction 
if valid domain extension algorithm is based on a masking assignment xp then we 
say that the masking assignment is valid. 

Definition 3. A masking assignment xp : j I . r] — > [1, 1} is strongly even-free 
(or even- free) if for each [a, b] C [1, r] there exists c £ [a, b] such that xp(c) occurs 
exactly once (respectively, odd times) in the sequence xp(a),xp(a + 1), . . . ,xp(b). 
Call this c (also the mask xp(c)) a single-man for the interval [a, b]. 

Now we will try to characterize all valid masking assignments. From Mironov’s 
paper [4] we have seen that every valid masking assignment is even-free. He also 
showed that, every even-free masking assignment requires at least 1 + |_log 2 rj 
many masks and the minimum attains if we consider the masking assignment 
xp = v 2 + 1 which is used in Shoup’s algorithm. Now we will prove that, in case 
of sequential construction, every strongly even-free masking assignmentis valid. 
The same masking assignment i.e. i/ 2 + 1 is in fact a strongly even-free masking 
assignment. 

To provide the sufficient condition for valid sequential extension, we will first 
prove that strongly even-free implies totally correct. The proof of totally correct 
implies valid is a basic idea of proving an extension is valid. In all known papers 
the same idea is used for proving validness of extension. So, one can see this any 
one of these papers [8,10,4]. We will give a proof in case of complete binary tree 
based domain extension in Section 5. 

Lemma 1. If xp is strongly even-free then xp is totally correct. 

Proof. We will define the mask defining algorithm Mdef seg (i, y, k, C, xp). 

1. If * = 1 then define yq,(i) = C ® hk{yo) and define all yet undefined masks 
randomly and quit. 
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2. If i > 1 then choose any c which is a single-man for the interval [l,i]. 
Compute j <- i — e, If j = 0 then goto step 4. 

3. Let ip' : [1,/] — > [1,/] be a masking assignment such that ip’(n) = ip(n + c) 
where n £ [1, j]- Take a random string D and then define, y' = y' 0 \\ . . . \ | y) 
where, y' n = y n + c when n> 1 and y' 0 = D\\y c . Run Mdef seq (j,y' ,k,C,ip'). 

4. Define all yet undefined masks except fi^ c ) (he. after running Mdef seq some 
masks may not be defined as iff may not be onto or j can be 0) randomly. 
Compute yy : ( c ) = z(c — 1, y, k,p) ® D and quit. 

Note that to compute z(c — 1, y, k, p) we do not need the mask /i, ;> ( c ) as c is 
a single-man and the above recursive algorithm will always stop as j < i. The 
masking assignment ip’ is nothing but ip restricted at [c, i\. So, if s(c, y, k, y) = D 
then by induction s(i, y, k, fi) = C. But, s(c, y, k. /ij = D is true by definition of 
It proves the correctness of ip. If C is a random string then all masks /i is 
a random string as they are randomly defined (in step-4) or they are obtained 
by XOR-ing with a random string (in step-1). So, it is totally correct. ■ 

Theorem 1. (Sufficient Condition for Valid Sequential Extension) 

If a sequential domain extension is based on a strongly even-free masking assign- 
ment ip then the domain extension is valid. 

Proof. By the above lemma ip is totally correct. The proof of totally correct 
implies valid is given in case of complete binary tree domain extension in Section 
5. The same idea will carry through in case of sequential construction. So, we 
omit this proof. 

Remark: Strongly even- free is sufficient condition for correct masking assign- 
ment. For example v? + 1. One can feel that the condition may be necessary. 
So, we may conjecture that, if a masking assignment is correct for any arbitrary 
hash function then it should be strongly even-free. 

5 Complete Binary Tree Based Construction 

In the previous section we study about sequential construction. Now, we will 
first define the generic algorithm based on complete binary tree of height t. 

Let T t = ( Vt , E t ) be the full binary tree where Vj = {1.2, 2* — 1} and E t = 

{d; 2 < i < 2* — 1}, e* = (i, \ i/2 \ ). Let any function ip t : E t — )> [1, l] be a masking 

assignment. (Note that we use E t for domain of ip t .) Let x = x\\ \ . . .\\x 2 t-\ be 
the input message of length N. Given ipt,x, and p = k\\ji, H p (x) is computed 
by the following algorithm. 

1. Input: x = X\ I \x 2 \ \ ■ ■ ■ \\x 2 t-i and p = fc|M|jU 2 || • • • ||W- 

2. If 2 t_1 < i < 2 t — 1 then zt = hkixf) else if 1 < i < 2 t_1 then Zj, = 

hk{s 2 i\\s 2 i+i\\xi), where s* = z t © 

3. Output: z\. 

Note that the input of i th node is s 2 i\\s 2 i+i\\xi and output of node i z. t . We 
say that the above complete binary tree based domain extension is based on 
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the masking assignment ip t . We will write s(i,x,k, /j,,t) and z(i,x,k, fi,t) for Sj 
and Zi in the above algorithm, respectively. Like sequential algorithm we say 
that ipt is correct if for each 1 < i < 2 t_1 , there is a mask defining algorithm 
Mdef tree (i,a;, fc,t, where |r*o | = |ri| = m which outputs /x = pi|| . . . ||/xj 

such that s(2i, x, k, /x, t ) = ro and s(2i + 1, x, k, /x, t) = r\. ipt is totally correct 
if the output /x of the mask defining algorithm is random string provided ro, ri 
are random strings and other inputs are fixed. 

Definition 4. A masking assignment ip t : E t —> [1, l] is a level uniform 
masking assignment if there are two functions at,/3 t : [2,t] — > [1, Z] such that 
iptfei) = at(i) if i is odd and ipt(ei) = if i is even, where j = htt(i) + 1. 
We will first briefly state some standard binary tree based constructions all of 
which are based on level- uniform masking assignment. 

1. Bellare-Rogaway [1]: a t (i) = i — 1 and Pt(i) = t + i — 2. In [1] it was shown 
that ipt is valid. Here, we need 2(t — 1) masks. 

2. Sarkar [8]: a t (i) = i — 1 and /3 t (i) =t + v 2 (i — 1). In [8] it was shown that 
ipt is valid. Here, we need t + [log 2 f] — 1 masks. 

Now, we will propose our binary tree based construction which needs lesser 
number of masks than Sarkar’s. Like above examples our domain extension is 
also based on level uniform masking assignment. So, it is enough to define these 
two functions a t and /3 t . This construction can be found more detail in [5]. 



Fig. 1 . The right most part of the complete binary tree when you place the root 
of the tree (i.e. vertex 1) in top. {t = 8 and |xi| = • • • = \xi 2 r\ = n — 2m, and 
|®i 2 s| = ■ • • = \x 2 55 \ = n. ■ means h k {-).) 


5.1 Improved Binary Tree Based Construction 

Define two sequences {Zfe}fc>o and {m t }t > 2 as follow: l k + 1 = 2 lk+k + where, 
l 0 = 2 and m 2 = 2 and if k > 1 , m t = t + k for all t e [h-i + 1 , h]- Note 
that, both l k and m t are strictly increasing sequences and if t = Ik for some 
k then mt + i = mt + 2 and if for some k, l k < t < l k + 1 then TOt + i = m t + 1. 
Later, we will see that m t is the number of masks of our algorithm for binary 
tree of height t and m t < t + k till t < l k - Intuitively, k = 0(log 2 (lk)) so, 
mt = t + 0(log 2 t). The level uniform masking assignment ip t is based on the 
functions a t , (3 t : [2, t] — > [l,m t ], t >2 where they are defined as follow (See 
Figure 1 where a right most part of the tree is drawn which will completely 
determine the functions at and 
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1. a a (2) = 2 and ft (2) = 1. 

2. For t > 3, a t (i) = and ft(i) = ft_i(z) whenever 2 < i < t — 1. 

3. If t > 3 and f — 1 = 1% for some k then a t (t ) = — 1) + 2 and 

ft(f) = a t -i (t - 1) + 1 and if Ik < t - 1 < lk+ i then a t (t) = a t -i(t - 1) + 1 

and ft(i) = u 2 {t -l-l k ) + l. 

Theorem 2. For t> 2, a t and ft map into [l,rn t ]. Moreover, a 4 (t) = m t and 
at([2,t]) Uft([2, t]) = [l,m t ]. So, we need m t many masks. 

Proof. For 2 < i < t, at(i) = mi can be easily proved by induction. Also 
note that, when i = Ik + 1 for some k, then ft(«) = m,_i + 1 < m, and when 
Ik + 1 < i < Zfc+i, ft(i) = v 2 (i — h) + 1 < h + k = mi k < mi. So, it proves that 
a t and ft map into [1 , rn t ] . To prove the last part let 1 < j < m t . So we have 
some i so that j = m; or j = mi k + 1. If j = to* then = mi = j otherwise 
ft(Zfc + 1) = mi k + 1 = j. So, we have that a t ([2,i]) U ft ([2, i]) = [l,m t ]. ■ 

Now, we will prove that the above ip t is totally correct for all t > 2. For this 
we need to define Mdef tT . ee (*, £, k,t,ro,ri,tpt)- We will define the mask defining 
algorithm for i = 1 otherwise we can consider the complete binary tree rooted at i 
(i.e. T t [i ]) and define Mdef t ree(i,x,k,t,ro,ri,ip t ) by Mdef tr . ee (l,a; , ,Zc,t , ,ro,ri,V’ / ) 
where, t' = x' = x(i) i.e. the part of the message involved in the subtree 

T t [i] and ip' is ip t restricted at T t [i] which is same as ip t > (it can be checked easily 
as tp t is level uniform). So, we can assume that i = 1 . 

1. If t = Ik + 1 for some k then 

(a) Define /i by random string. 

(b) Compute p, mt -i = z(2,x,k, p,t) © ro and p mt = z(3,x, k,p, t) © r\. To 
compute z( 2, x, k, p,, t) and 2(3, x, k, p, t) we actually need only p[m t — 2] 
as Pm t - 1 and p mt appear only on edges e 2 and e 3. 

2. If Ik + 1 < t < lk+ 1 for some k then 

(a) Let the set A = {2* +1 + 1 : 0 < * < r} U {2 r+1 } where, r = t — (Ik + 1). 

(b) Choose randomly for all i E A — {3} such that, |h ( | = rn and 63 = r-, . 

(c) Let y = 2/0 1 1 2/i 1 1 ■■■\\y r where, y 0 = 62r+i||6 2 r+i+i||a:2*' and yj = b 2 r+i-j +1 
\\x 2 r-j for 1 < j < r. 

(d) Run Mdef seq (r,y,k,ro, ip') = p[l'] where, l' = Llog 2 yJ + 1 < Ik + k = 
mi k and ip' is same as ip restricted at the path e2*-,e 2 r-i, . . . ,e 2 . More 
precisely, ip'(i) = ip(e 2 r+i-,). So, if p is computed such a way that, 
s(i, x, k, p, t) = bi for all i e A then by definition of Mdef seg we will have 
s(2,x, k,p, t) = ro- 

(e) Define remaining masks randomly and for i £ A (in descending order) 
compute Pi = z(i, x, k, p, t) © 6j. 

When t = Ik + 1 the correctness of tp t easily follows from the definition of 
Pm t - 1 and p mt . Note that, to compute z(j,x,k, p,t) for j £ A in step-2(e), we 
do not need the masks p^ e ) for all j 1 £ A, j 1 > j. So, s(i, x, k, p, t) = bi for all 
i £ A and hence Mdef tree is correct. If ro and ri are random strings then so is 
the output p and hence ip t is totally correct for all t. So, we have the following 
theorem: 
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Theorem 3. The masking assignment t f>t based on two functions at and (3t ®s 
above is totally correct. 

Now we will prove the statement totally correct implies valid for binary tree 
based masking assignment. The same idea will carry through for the other con- 
structions. 

Theorem 4. (Validness of domain extension) In case of binary tree based 
domain extension a totally correct masking assignment is always valid. More 
precisely, we have that, if there is an ( e , r\) winning strategy A for {H p } pe -p then 
there is also an (girry , Jy + 2(2* — 1 ))-strategy B for {hk}keic whenever {H p } pe -p 
is based on totally correct masking assignment. 

Proof. We describe the two stages of the strategy B as follows. 

Algorithm 2?S uess = (y,s): 

Run A guess to obtain x £ {0, 1} N and state information s'. Choose an i 
{1, . . . , 2* — 1}. If 2* _1 < * < 2* — 1, set y = x,; r o, r\ to be the empty string and 
s = (s',i,ro,ri,x). Output (y,s) and stop. If 1 < i < 2* _1 — 1, then choose two 
strings r 0 and ri uniformly at random from the set {0, l} m . Set y = r 0 ||r-| ||:Cj 
and s = (s' ,i,ro,ri,x). Output (y,s) and stop. At this point the adversary is 
given a k which is chosen uniformly at random from the set K = {0, 1} K ■ The 
adversary then runs which is described below. 

Algorithm B^ nd (y, k, s) = y ': (Note s = (s' ,i,ro,ri,x).) 

Define the masks p\, . . . , p mt by executing algorithm Mdef t ree(i,x,k,t,ro,ri). 
This defines the key p = k\\p for the function H p . Run A find (x,p, s') to obtain 
x'. Let y' be the input of i th node corresponding to the string x’ . Output y’ . 

We now lower bound the probability of success. By totally correctness p is 
a randomly chosen key from the set V. Suppose x and x' (x ± x') collide for 
the function H p . Then there must be a j in the range 1 < j < 2* — 1 such that 
at vertex j there is a collision for the function hk- (Otherwise it is possible to 
prove by a backward induction that x = x'.) The probability that j = i is 
where i is a random number lying between 1 and 2* — 1. Hence if the success 
probability of A is at least e, then the success probability of B is at least 
Also the number of invocations of hk by B is equal to the number of invocations 
of hk by A plus at most 2(2* — 1). This completes the proof. ■ 

Theorem 5. The speed-up of our algorithm over the sequential algorithm in 
Section 4 is by a factor of . 

Proof. This algorithm hashes a message of length n( 2* — 1) — m( 2* — 2) into a 
digest of length to using t parallel rounds. The time taken by a single parallel 
round is proportional to the time required by a single invocation of the hash 
function hk- The sequential construction require 2* - I invocations of the hash 
function hk on a message of length n( 2* — 1) — m( 2* — 2). Hence, the speed-up of 
the binary tree algorithm over the sequential algorithm is by a factor of 2 . ■ 
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Fig. 2. 4-dimensional parallel algorithm (t = 6 and x = xi\\ . . . \\x 2 a. Note that g( 6) = 
(2, 2, 1, 1) and |*i| =•••=>■ Jasl = n - 4m, |* 4 | = ••• = \xi2\ =n-3m, |an 3 | = • • • = 
| m i6 1 = n — 2m, |xi7| = • • • = |x 3 2| = n — m, and |x 33 | = • • • = |x 2 e| = n. • means 

ftfc(-) •) 

Remark: The speed-up achieved by our algorithm is substantial even for mod- 
erate values of t. Such speed-up will prove to be advantageous for hashing long 
messages. 

Theorem 6. The number of masks for this algorithm is t + 0(log* 2 i) . 

Proof. From the recurrence relation it is clear that 2 2 ' k > l^+\ > 2 lk . So, 
log2 (Zfc) + 1 < log2(ifc+i) < log2 Qk) + 2 and hence log^fc) = 9(k) i.e. log^h) 
and k are of same order. So, for all h <t < h+i, m t —t = k = CHlog^t). ■ 

6 Non-complete l - Ary Tree Based Construction 

Our first new construction IBTC is based on the complete binary tree. In this 
section we present a new parallel construction for a UOWHF based on a 4-ary 
directed tree which is not complete. 
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We will first define the generic algorithm based on the 4-ary directed tree 
T t = (V t , E t ) for t > 4 (See this notation in Section 3). For t = 2 and t = 3, we 
can define the algorithm based on the binary and 3-ary tree based construction 
(See Section 6.3), respectively. 

Like previous constructions, any function ip t : E t — >• [1, l] is a masking assign- 
ment. Let x = £i||a; 2 || . . . | |.'e 2 * be the input message of length N. Given ife, x, 
and p = k\\p, H p (x) is computed by the following algorithm. This is depicted in 
Figure 2. In this section a, b, c and d denote the output of g(t). 

1. Input: x = xi||x 2 || • • • \\x 2 t and p = fc||/ri||/r 2 || . . . \\pi- 

2. If 2 a+b+c (2 d - 1) < i < 2* then * = h k ( Xi ). 

3. If d = 1 then goto step 4. 

(a) For j = 2 d — 2 down to 1 do 

For j2 a+b+c < i < (j + l)2 a+b+c , z t = h k (s i+2 a+b+c\\xi) where s,- = 
Z% ® dt t ( ei ) (This notation is also same in the following procedure). 

4. For 2 a+6 (2° — 1) < i < 2° +b+c , z t = hk(s i+2 a+b+c\\xi). 

5. If c = 1 go to step 6. 

(a) For j = 2 C — 2 down to 1 do 

For j2 a+b <i<(j + l)2 a+b , z % = h k (s i+2 a+b\\s i+2 a+b+a\\xi). 

6. For 2“(2 b - 1 )<i< 2°+ b , % = h k (s i+2 a + b\\s i+2 a + b + c\\xi). 

7. If b = 1 go to step 8. 

(a) For j = 2 b — 2 down to 1 do 

For j2 a <i < (j + 1)2°, m = /»jfe(sH-a (, ll s *+ 2 “+‘ll a ii-?^*-+«||*,)- 

8. For i = 2 a , Zi = h k {si +2 a\\s i+2a+ b\\s i+2a +b+c\\x i ). 

9. For i = 2 a - 1 down to 1, z t = /i fc (s i+ i||s i+2 a||s i+2 a+!.||s i+2 a + i.+c||a; i ). 

10. Output: z\. 

We say that, the above non-complete 4-ary tree based construction is based 
on the masking assignment ipt- Here, we need some definitions in order to con- 
sider the correctness of ip t . 

1. We will write s(i,x,k, p,t), z(i,x,k, n,t) for s* and Zi, respectively. 

2. e means the empty string. 

3. For each node 1 < i < 2 a+b+c (2 d — 1), 

(a) Define s°(i,x,k, p,t) as s(i + l,a :,k,g,,t) for 1 < i < 2“ and as e for 
2“ < i < 2 a+b+c (2 d - 1). 

(b) Define s x (i,x, k,p,t) as s(i + 2 a ,x, k,/j,,t ) for 1 < i < 2°(2 b — 1) and as 
e for 2 a (2 b - 1) < i < 2 a+b+c (2 d - 1). 

(c) Define s 2 (i,x,k, n,t) as s(i + 2 a+b ,x,k, n,t) for 1 <i< 2 a+b (2° — 1) and 
as e for 2 a+b (2 c - 1) < i < 2 a+b+c (2 d - 1). 

(d) Define s 3 (i,x,k, n,t) as s(i+2 a+b+c ,x,k, n,t) for 1 < i < 2 a+b+c (2 d — l). 

Therefore the input of i th node can be represented by s°(i, x, k, p. t) ||s 1 (i, x, k, //, 
t)\\s 2 (i,x,k, p,t)\\s 3 (i,x,k, p,t)\\xi for 1 < i < 2 a+b+c (2 d — 1). 

We will say that V’t is correct if, for each 1 < / < 2 a+b+c (2 d — 1), there 
is an algorithm Mdef4dj m (i, x, k, t, ro, ri, r 2 , r 2 , ipt), where ro is a rn-bit string if 
1 < i < 2 a and e if 2° < i < 2 a (2 b - 1), n is a m-bit string if 1 < i< 2 a (2 b - 1) 
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and e if 2“(2 6 — 1) < * < 2“ +b (2 c — 1), r 2 is a m-bit string if 1 < * < 2“ +b (2 c — 1) 
and e if 2 a+b (2 c — 1) < i < 2 a+b+c (2 d — 1), and r% is a m-bit string for 1 < i < 
2“ +6+c (2 d — 1) which outputs fj, = jui 1 1 • • • \\m such that (i,x,k, g,,t) = rj for 
0 < j < 3 ., # is totally correct if the output // of the mask defining algorithm 
is random string provided ro, ri,r 2 and r% are random strings and other inputs 
are fixed. 


6.1 4-Dimensional Domain Extender 

Our second new parallel construction uses the following masking assignment 
'ip t : E t — > [1. t\. The map represents the assignment of masks to the directed 
edges. Here we present our definition of ipt which needs t masks for 4-dimensional 
construction. Intuitively, the map ip t is made from expanding the mask assigning 
method of Shoup’s sequential construction into four directions. At first, we define 
four functions a t , fit, 7t, and S t as follows. 

1 . a t : [ 1 , 2 ° — 1 ] ->• [ 1 , a] is defined by a t (i) = 1 + v 2 (2 a — i). 

2 . [it '■ [1, 2 b — 1] — >• [a + 1, a + 6] is defined by f3 t {i) = a + 1 + z^ 2 (2 6 - *). 

3. t t '■ [1, 2 C — 1] -7 [a + 6 + 1, a+b+c] is defined by 7 t (i) = a + b+l + u 2 (2 c -i). 

4. 5 t : [1, 2 rf — 1] ->■ [o + 6 + c+l,f] is defined by 8 t (i) = a + b+c+l + u 2 (2 d — i). 

Our masking assignment iptiep is defined as follow: 

1. ipt(ei) = a t (j) if 2 < i < 2 a and j = i — 1. 

2 . ipt(ei) = if 2 a <i < 2 a+b and j2 a <i < (j + 1 ) 2 “. 

3 . ipt(ei) = j t (j) if 2 a+b < i < 2“+ b+c and j2 a+b < i < (j + l)2 a+b . 

4 . ip t (ei) = 8 t (j) if 2“+ b+c <i< 2 t and j2 a+b+c <i<(j+ l)2 a+b+c . 

Now we will prove that the above ipt is totally correct. 

Theorem 7. The masking assignment ip t based on four functions at, fit, 7 1 and 
S t as above is totally correct. 

Proof. We will define the mask defining algorithm Mdef 4 * m . 

Input: k,x,i,r 0 ,r 1: r 2 ,r 3 ,ip t 

output: /x = /xi|| ... || Ht such that s j (i,x,k,iJ,,t) = rj for 0 < j < 3. 

We can define Mdef 4 f j, m for each case j € {1,2, 3, 4} where 

1. 1 < i < 2“. 

2. 2° < i < 2“(2 6 — 1). 

3. 2“(2 6 - 1) < i < 2 a+b (2 c - 1). 

4. 2“+ b (2 c -t)<i< 2 a+b+c (2 d - 1). 

But we will present the specific procedure of Mdef 4 4 , TO for only case 1 since the 
other cases are very similar and much simpler than case 1. Let 1 < i < 2°. 
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1. (a) Let D = 2 d — 1. Let ip' : [1, D] ^ [l,t] be a masking assignment such 

that ip'(j) = ip t {e i+ ( D+ i_j) 2 a+i>+c) where j G [1,5]. 

(b) Let y 3 = yolbill • ■ • Wvb where, y 3 = x i+(D _ v)2 a+b+c for 0 < v < D - 1 
and y 3 D = r , o||ri||r2||a;j. Note that | j/q I = 71 and \Vj\ = n — mfovl<j< 
D. 

(c) Run Mdef seg (5, y 3 , k, r 3 , ip') to get an output y[a + b + c + 1, t\. 

(d) Set y = y[t] = y'[a + b + c]||//[a + b + c + 1, f], where y'[a + b + c] is the 
m(a + b + c)-bit zero string. 

2. (a) Let C = 2° — 1. Let ip” : [1,C] -» [l,f] be a masking assignment such 

that ip"(j) = ip t {e i+ ( C+ i_j) 2 a+0 where j G [1 ,C\. 

(b) Let y 2 = y$\\y%\\ . . . \\y%, where y 2 v = s 3 (i + (C - v)2 a+b ,x,k, y,t)\\ 
Xi + ( C -v) 2 a + b i for 0 < v < C - 1 and y 2 c = r 0 ||ri||r 3 ||a;j. 

(c) Run Mdef S e g (C, y 2 , k , r 2 , ip") to get an output y[a + 6+ l,a + &+c]. 

(d) Set y = y[t] = y'[a + 6]||//[o + b+l,a + b+ c]||/u[a + b + c + 1, f], where 
y'[a + b] is the m(a + 6)-bit zero string. 

3. (a) Let B = 2 b — 1. Let ip'” : [1,5] — > [1, t] be a masking assignment such 

that ip"'(j) = V’t(e i+ ( S +i-j)2“) where j G [1,5]. 

(b) Let y 1 = yl\\y\\\ ■ ■ My]}, where yl = s 2 (i + (B - v)2 a , x,k,y,t)\\ s 3 (i + 
(B-v)2 a ,x, k,y,t)\\x i+ ( B _ v ) 2 a, forO < v < 5-1 and y ^ = r 0 | |r* 2 | |r 3 | la;*. 

(c) Run Mdef S e g (5,y 1 ,fc,rl,V’ ,,, ) to get an output y[a+ l,o + &]. 

(d) Set y = y\t\ = /x , [a]||/r[a+l,a + 6]|| / u[a + 6+l,a + 6 + c]||p[a+6 + c+l,t], 
where y'[a] is the ma-bit zero string. 

4. (a) Let u = 2 a — i and A = 2 a — 1. Let ip"" : [1, A] — >■ [l,f] be a masking 

assignment such that ip””(j) = ipt(eA+ 2 -j) where j G [1, A]. 

(b) Let y° = j/olls/ill ■■ -WVa where, y° v = s\A + 1 - v,x,k, y,t)\\s 2 (A + 
1 — v,x,k,y, t)||s 3 (A+ 1 — v,x,k, y,t)\\xA+i- v for 0 < v < A — 1 and 
Va = l 3m ||a;i- 

(c) Run Mdef seg (u, y°, k,ro,ip"”) to get an output y[a]. 

5. Output y[t\ = /u[a]||/x[a + l,a + b]\\y[a + b+ l,a + b + c]\\y[a + b+ c+ l,t]. 

It is easy to check that (i,x,k, y,t) = rj for 0 < j < 3. Therefore Mdef4 ( ; rm is 
correct for 1 <i< 2 a — 1. If ro, ri, r2, and r 3 are random strings then so is the 
output y and hence ip t is totally correct for 1 < i < 2 a — 1. The other cases are 
very similar. So we omit the proof for these cases. ■ 

The following theorem shows that if {hk}keic is a UOWHF, then so is 
{H p } p( z-p. Using the fact that ip t is totally correct, we can prove this theorem in 
a much similar way in the proof of Theorem 4. So we omit this proof. 

Theorem 8. (Validness of domain extension) In case of 4-dimensional 
domain extension a totally correct masking assignment is always valid. More 
precisely, if there is an {e,rf)- extended strategy for {H p } pe -p then there is an 
,r]+2 t+1 ) -strategy for {hkjkeic whenever {H p } pe -p is based on a totally correct 
masking assignment. 

We now show the speed-up of 4-dimensional construction over the sequential 
construction. For the sake of simplicity we do not describe the case of t ^ 
0 mod 4. 
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Theorem 9. The speed-up of 4- dimensional construction over the sequential 
construction in Section f is by a factor of 22 +t/i_ 3 if t = 0 mod 4 . 

Proof. 4-dimensional construction hashes a message of length n2* — m(2 t — 1) 
into a digest of length m using 2° + 2 6 + 2 C + 2 d — 3 parallel rounds. Therefore, 
if t = 0 mod 4 then 4 x 2 4 / 4 — 3 parallel rounds are need to hash a message of 
length n2 4 — m(2 4 — 1). The time taken by a single parallel round is proportional 
to the time required by a single invocation of the hash function hk ■ The sequen- 
tial construction requre 2* invocations of the hash function hk on a message of 
length n2 t — rn(2 t — 1). Hence, the speed-up of the 4-dimensional construction 
over the sequential construction is by a factor of ^|^_ 3 if t = 0 mod 4. ■ 

By the definition of the masking assignment of 4-dimensional construction, 
the following theorem is clear. 

Theorem 10. The number of masks for 4-dimensional construction is t. 

6.2 Optimality of the 4-Dimensional Domain Extender 

in [4] Mironov proved that among all the sequential algorithms Shoup’s algorithm 
reuses the masks as much as possible. This means that among all the sequential 
algorithms there is no algorithm which has a more smaller key expansion than 
Shoup’s algorithm. 

As Mironov did in [4] , we can also ask whether the masks can be re-used even 
more in the 4-dimensional domain extender. But, luckily, we can easily answer 
the question using the recent result of Sarkar [8]. Furthermore, using the result, 
we can prove that the key length expansion of the 4-dimensional domain extender 
is the minimum possible for any algorithms in a large class of “natural” domain 
extending algorithms including all the 4-dimensional type algorithms and all the 
previously proposed algorithms. 

In [8] Sarkar provided a generic lower bound on the key length expansion 
required for securely extending the domain of a UOWHF. He first defined the 
large class A of “natural” domain extending algorithms. Then he proved that 
for any A £ A such that A is correct for s invocations of hk the number of masks 
required by A is at least [~log 2 s]. (Details can be found in section 4 of [8].) Note 
that Shoup’s algorithm is an element of the class A. Therefore, it follows that 
Shoup’s algorithm is optimal for the class A. 

On the other hand the 4-dimensional domain extender is also an element of 
the class A. And note that for 2* invocations of hk the 4-dimensional domain 
extender uses t(= [log 2 2 t ]) masks to securely extend the domain of a UOWHF. 
Hence this shows that the 4-dimensional domain extender is also optimal for the 
class A. 

6.3 Z-Dimensional Domain Extender 

In the above we provided the 4-dimensional domain extender and considered the 
security and optimality of key length expansion. In fact the construction idea 
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Table 2. Specific comparison of domain extenders for UOWHF. 


Parameter 

Shoup [10] 

Z-DIM(Z > 2) 

IBTC 

Sarkar [8] 

seq/par 

sequential 

parallel 

parallel 

parallel 

message length 

2 t n 

¥h 

(2' - l)n 

(2* - 1 )n 


-(2* - l)m 

-(2 4 - 1 )m 

-(2* -2 )m 

—(2* — 2)m 

# invocations of hk 

2* 

2* 

2* - 1 

2* - 1 

# masks 

t 

t 

t+ 0(log2t) 

t + riog 2 tl - 1 

# rounds 

2* 

I2 t/l -l + l{t = 0 mod /) 

t 

t 

speed-up 

1 

f -lit/? ,+ii 1 = 0 mod 0 

E 2 rfSl 

:L r , 1 


can be generalized to any /-dimensional domain extender (/ > 2). If n > Im, 
we can define the /-dimensional domain extender. We can start to define the 
/-dimensional domain extender with setting the function g(t) = (oi, • • a;) ex- 

actly in the similar way as we did for 4-dimensional. And the whole specification 
of /-dimensional domain extender can be similarly defined by using the descrip- 
tion method of the 4-dimensional domain extender. We can also consider the 
security and optimality of the /-dimensional domain extender as in the case of 
4-dimensional domain extender. 

7 Comparison to Known Algorithms 

In Table 2 we compare the specific performance of the different known algo- 
rithms with /-dimensional domain extender and Improved binary tree based 
construction. Note that the message length which can be handled varies with 
each of the known algorithms. For example, Shoup’s and /-DIM can handle a 
2 t n—(2 t — l)m bits message, however, Sakar’s and IBTC can not handle the same 
length message. Therefore, we can not fix a message length in order to compare 
the different known algorithms with /-DIM and IBTC. Instead, we separately 
describe the message length for each of the algorithms as shown in Table 2. 

The algorithms use one key for the base hash function and some number 
of m-bit mask keys. The number of masks described in Table 2 refers to the 
latter. The number of invocations of hk is the total cost. The number of rounds 
reflects the parallelizability arising via tree-based constructions, and indicates 
the total time to completion. In Shoup’s sequential construction it is equal to 
the number of invocations of hk- Speed-up (over the sequential algorithm or 
Shoup) is the ratio of the number of invocations of hk to that of rounds. For the 
sake of simplicity we do not describe the case of t ^ 0 mod / in the positions of 
the number of rounds and speed for our /-DIM. 

Table 2 shows the key length expansion of /-DIM is the same as that of 
Shoup’s and it doesn’t have the same parallalizable performance with IBTC 
and Sarkar’s construction. But if / is getting larger, then the speed of the Z- 
DIM is also getting near to the speed of IBTC and Sarkar. On the contrary, the 
parallalizable performance of IBTC is the same as that of Sarkar’s and it doesn’t 
have the same key length expansion with /-DIM and Shoup’s construction. 
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8 Conclusion 

In this paper we have provided two parallel domain extenders, IBTC and /-DIM, 
for UOWHF. Each of them has an important theoretical meaning in the study 
of efficient domain extanding method for UOWHF. 

IBTC has the most efficient key length expansion among all the previously 
known complete l - ary (l > 2) tree based parallel constructions. But IBTC need 
slightly more key length expansion than Shoup’s sequential construction. On the 
other hand, /-DIM has the same key length expansion as Shoup’s. Furthermore, 
/-DIM and Shoup’s construction are the minimum possible for any algorithms in 
a large class of ’’natural” domain extenders including all the previously proposed 
constructions. But /-DIM does not have the same parallelizability performance 
as complete /-ary (/ > 2) tree based constructions. 

This paper has concerned the efficient parallel construction. Of course, it 
would be very nice to have a parallel construction which has the optimal key 
length expansion and the same or more efficient parallelizability than complete 
tree based constructions simultaneously. But at this point, we do not have any 
such algorithm. Hence, in our opinion, we should separately consider both the 
key length expansion and the parallelizability with the same importance. And we 
would like to stress that the present work is important in regarding the former 
and the latter point of views, respectively. 

We have also given a sufficient condition for valid domain extension for se- 
quential extension and it is likely that the condition is necessary. So, that will 
characterize the valid domain extension for sequential construction. 

It is likely that /-DIM has maximum parallelizability with optimal key length 
expansion. So one can try to prove whether this parallelizability is maximum 
among all the constructions with optimal key length expansion or not. 
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Abstract. HAVAL is a cryptographic hash function proposed in 1992 
by Zheng, Pieprzyk and Seberry. Its has a structure that is quite similar 
to other well-known hash functions such as MD4 and MD5. The speci- 
fication of HAVAL includes a security parameter: the number of passes 
(that is, the number of times that a particular word of the message is 
used in the computation) can be chosen equal to 3, 4 or 5. In this paper 
we describe a practical attack that finds collisions for the 3-pass version 
of HAVAL. This means that it is possible to generate pairs of messages 
hashing to the same value. The computational complexity of the attack 
corresponds to about 2 29 computations of the compression function of 
3-pass HAVAL; the required amount of memory is negligible. 


1 Introduction 

A cryptographic hash function is an algorithm that can be used to compress a 
message of arbitrary length into a hash value of specified length (say n bits). 
Such functions are widely used in applications requiring the authentication of 
information. In order to be useful for such applications it is required that the 
hash function is one-way. this means that, for a given value of n bits, it should 
be infeasible to find any message which hashes to this value. Another important 
property for a hash function is collision-resistance: it should be infeasible to find 
any two messages that are mapped by the function to the same value. This last 
property is not required in all applications of hash functions; one important case 
where it is needed is when a hash function is used in conjunction with a digital 
signature scheme, in order to compress a message before it is being signed. 

Unfortunately one cannot design efficient hash functions with provable se- 
curity properties. While it is possible to base a hash function on a different 
cryptographic primitive such as a block cipher (which may have received a lot of 
cryptanalytic effort and thereby confidence in its security), in practice dedicated 
algorithms, designed specifically for the purpose of hashing, are often preferred. 
Especially the algorithms of the so-called MD-family of hash functions are very 
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popular, because of their efficiency in software implementations and because of 
the experience gained by cryptanalysis of some members of this family. 

The first algorithms of the MD-family were MD4 [10] and MD5 [11], proposed 
by Rivest in 1990 and 1991 respectively. These functions generate a hash value 
of 128 bits. The HAVAL [12] algorithm was proposed by Zheng, Pieprzyk and 
Seberry in 1992. In contrast to MD4 and MD5, HAVAL allows the computation of 
hashes of variable length, more specifically 128, 160, 192, 224 or 256 bits. This 
should result in higher security levels as the complexity of a collision-finding 
attack is conjectured to be of the order of 2”/ 2 operations where n is the number 
of bits in the hash value (this corresponds to the complexity of a generic birthday 
attack) . The specification of HAVAL allows for a trade-off between efficiency and 
security margin by means of a parameter, the number of passes , which can be 
chosen equal to 3, 4 or 5. Amongst the other hash functions which belong to the 
MD-family are RIPEMD-160 [5] and SHA-1 [8], both of which have an output 
length of 160 bits. In order to generate longer hash values one can also use 
the recently proposed hash functions SHA-256, SHA-384 and SHA-512 [8] (with 
output length of 256, 384 or 512 bits respectively). 

In 1996 Dobbertin [3] showed that the MD4 hash function is not collision- 
resistant: there is a practical attack that finds pairs of messages hashing to 
the same value. Later he applied similar techniques to find collisions for MD5 
[4], but this attack does not work for the correct initial value defined for the 
algorithm (or for any other pre-specified initial value). In the case of HAVAL, 
only reduced versions of the algorithm have been analysed so far: it has been 
shown that collisions can be found when the number of passes is reduced to two 
[7,9,6]. In this paper we show a cryptanalysis of HAVAL in the case where the 
number of passes is equal to 3 (that is the minimum allowed by the algorithm 
specification). Our analysis leads to a practical attack that finds collisions for 3- 
pass HAVAL, using the correct initial value as specified for the algorithm, with a 
time complexity that corresponds to about 2 29 computations of the compression 
function (this attack works for all possible output lengths of the algorithm). The 
remainder of the paper is organised as follows: in Section 2 we give a general 
outline of the attack procedure. The details of the attack are then explained 
in Sections 3 and 4. In Section 5 we provide a concrete example of a collision 
generated with our attack and we conclude in Section 6. 

2 Outline of the Attack 

The hash function HAVAL is defined as a simple iteration of a compression 
function and can be described as follows: 

Ho = TV , Hj = compress(7fj_i, Mj) (1 <j<t) , hash(A4) = H t ■ 

Here M. denotes the message which is divided into t blocks A ij of 1024 bits 
each. TV is an initial value of 256 bits, and H 3 represent chaining variables with 
a length of 256 bits. Each application of the compression function transforms 
the chaining variable into a new value under control of the current message 
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block A ij, and the final value for this chaining variable serves as 256-bit hash 
value of the message M. This construction implies that the problem of finding a 
collision for HAVAL can be reduced to the problem of finding a collision for its 
compression function. Note that an optional output transformation is defined for 
the computation of shorter hash values but this has no impact on our attack: we 
obtain a collision before the output transformation, therefore the attack works 
regardless of the length of the hash output. 

In the following we will focus our attention on the compression function of 
HAVAL. This function uses only simple operations on 32-bit words. The 256- 
bit input is loaded into eight registers (A, B, C, D, E, F, G, H) and the 1024-bit 
message block is divided into 32 words {A 0 , Ai, . . . , A 3 i}. Each step of the 
compression function updates the value of one of the registers, depending on 
a non-linear function of the other seven registers and also on one word of the 
message. For example the first step of the compression function updates the 
value of the A register in the following manner: 

A <-= A >>n + (f(B, C, D, E, F, G, ff)) >>7 + X 0 , 

where / is a non-linear function; (-) >s denotes rotation (circular shift) over s 
bit positions to the right, and + denotes addition modulo 2 32 . After 32 steps 
all words A* have been used, and this constitutes the first pass of the HAVAL 
compression function. The 3-pass version has two more passes which again use 
all words A, of the message exactly once (32 steps per pass) but the order in 
which they are applied is permuted. Also, each pass uses a different non-linear 
function in the step operations. We refer to the Appendix for a more detailed 
description of the compression function. We denote the values contained in the 
registers at the start of the compression function by ( A 0 . . . . , Ho). Each pass of 
the compression function computes four new values for each register (4 values 
x 8 registers = 32 steps). Hence, three passes compute 12 new values for the 
registers; these values are denoted (A,, . . . , H t ) with 1 < i < 12. Note that all 
steps of the compression function can be inverted, however there is a final feed- 
forward operation to make the function uninvertible. This operation computes 
the functions output as (A 0 + A 12 . . . . , H 0 + H v2 ). 

The goal of our attack is to find two distinct message blocks {A*} and {A'} 
(0 < i < 31) which are mapped by the compression function to the same output 
value, where the computation for the two message block starts from the same 
256-bit initial value (Ao, . . . , Ho). We find such a collision for two message blocks 
with a small difference in only one of the words, more specifically: 

-^28 = ^28 + 1 j 

A' = A i 28) . 

During the execution of the compression function some intermediate values 
for the registers will be different for the message blocks {A,} and {A'}. We 
define the difference after step j as 

Aj = (A — A',B — B', C -C’,D- D’,E- E', F-F',G-G',H- H ') , 
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where ( A , . . . , H) are the contents of the registers at this point for message block 
{X,}, and similarly {A ' , .... H') for {X'}. Note that this difference is defined 
with respect to the modular addition operation. 

From the description of the compression function in the Appendix, it can 
be seen that the word X 28 , respectively X' 2fi (which contains the only difference 
between the two message blocks) is applied three times, once in each of the three 
passes of the function. This is the case in steps 29, 38 and 69. Before step 29 
all contents of the registers are equal for the two messages; a collision will be 
obtained if the contents of all registers are equal again after execution of step 69 
(hereafter all message words that are used are the same for both messages so no 
new differences will occur in any computed register value). In order to give our 
attack a chance of success we need to control the differences in registers between 
step 29 and step 69 very carefully. The attack can be divided into two phases 
which we describe below and in more detail in the next sections. 


Phase I: Inner Almost-Collision 

The first phase of the attack concentrates on the first two passes of the compres- 
sion function, more specifically the part between steps 29 and 38. The first use 
of the word X 2 8, respectively X 2S , is in step 29 (in pass 1 of the compression 
function) where a new value is computed for the E register. This means that 
the first computed register value which is not equal for the two messages, is the 
value E 4 , respectively E' 4 . At this point we have the following correspondence 
between the registers for the two messages: 

A 4 = A' 4 b 4 = B' 4 c 4 = C' 4 d 4 = D' 4 

e 4 = E' 4 + (X 28 - X' 8 ) F 3 = F' g 3 = g' 3 H 3 =H' 3 

So the difference after step 29 is: 

A 29 = (0, 0, 0, 0, X 28 - X' 8 , 0, 0, 0) = (0, 0, 0, 0, -1,0, 0, 0) . 

The next use of X 2 g, respectively X' 28 , occurs in step 38 (in pass 2 of the 
compression function) where a new value is computed for the F register. In this 
phase of the attack we fix some words X, of the messages in such a way that we 
have the following correspondence between register values at this point: 

A 5 = A' s B 5 =B' 5 C 5 = C' 5 D 5 = D' 5 

£5 = £5 + 1 <<12 Fr, = G 4 = G' 4 H 4 = H' 4 

Here (-) <s denotes rotation over s bit positions to the left. So we want only a 
small difference in register E after the execution of step 38. That is, 

A 38 = (0,0,0,0,1 <<12 , 0,0,0) . 

Such a set of differences (Z\ 2 g, Z^s) is called an inner almost- collision. 
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Phase II: Differential Analysis and Matching the Initial Value 

The second phase of the attack concentrates on the last two passes of the 
compression function, more specifically the part between steps 38 and 69. As 
seen above we have only a small difference in the E register after step 38. We 
are now ready to perform a differential cryptanalysis on the following steps. 
The last occasion where the word X 28 , respectively X 28 , is used is in step 
69 (in pass 3 of the compression function). For 39 < j < 68 we require that 
Aj = (0, 0, 0, 0, E — E', 0,0,0). That is, we require that the difference in the E 
register after step 38 does not spread to any of the other registers. Furthermore, 
the difference in the E register after step 38 has been chosen in such a way that 
the use of X 28 , respectively X 28 , in step 69 compensates the difference in the 
E register at that point. That means Z\ 6 g = (0,0, 0,0, 0,0, 0,0). This will also 
result in a collision in the output of the compression function. 

In the previous phase of the attack we only needed to fix a few of the words 
Xi in the messages. Therefore, we can randomly choose the remaining words in 
this phase and see if the differential attack works. We found that the success 
probability of our differential attack is around 2 -29 , so a collision can be found 
by randomly guessing the remaining words Xi and computing the difference 
after step 69 (which should be zero for all registers). This will succeed after, on 
average, 2 29 trials. 

There is one more complication to our attack: when all values of words Xi 
are determined we can calculate backwards in pass 1 of the compression function 
by inverting steps 29 down to 1. The values of (A 0 , . . . , H 0 ) which we calculate 
in this way have to be equal to the initial values defined in the algorithm spec- 
ification. This can be realised by randomly choosing only a subset of words Xi 
in this phase of the attack and calculating the values of some other words which 
can still be freely chosen so that the correct initial values are obtained. 

3 Finding an Inner Almost-Collision 

As noted in the previous section we first analyse the part of the compression func- 
tion between step 29 and step 38. We require that A 2 9 = (0, 0, 0, 0, — 1, 0, 0, 0) 
and that A 38 = (0,0, 0,0, 1« 12 , 0,0,0). 

Table 1 below shows the difference propagation used in our attack. In step 29 
a difference in the E register is introduced: E±—E' A = X- 28 — X 2g = — 1. We let this 
difference spread to the F register in step 30, more specifically F 4 — F 4 = 1. From 
step 31 up to 36 we require that the differences in the E and F registers do not 
spread to any of the other registers: G 4 — G' 4 = H 4 — H' A = A 5 — A' 5 = B 5 — B' 5 = 
G5 — C ' 5 = D 5 — D ' 5 = 0. Then, in step 37 we need an interaction of the differences 
in the E and F registers, in such a way that the right difference Eg — Eg = 1 <12 
is obtained. Finally, the difference in the F register has to disappear in step 38 
where the word X 28 , respectively X 28 , is used again: Fg — Fg = 0. 

For each step in turn, we now look at the difference which is obtained after 
computing the new register value for {X{\ and {X'}. To simplify the analysis 
we first make the following specific choices: 
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E 4 = -l , £4 = 0 , F 4 = 0 , F [=- 1 . 

Note that these choices agree with the differences E 4 — E' 4 = —1 and F 4 — F 4 = 1. 
The values 0 and —1 (modulo 2 32 ) correspond to 32-bit quantities where all the 
bits are set equal to 0 or 1 respectively. 

Table 1. Overview of the difference propagation through the registers. The shown 
difference values are the values after the corresponding step has been executed. We 
also list the message word applied in each step. Note that AA = A — A' , AB ~B — B' , 
etc. Entries in bold face show which register has been updated in a particular step. 


Step | A A 

1 AB 

AC 

AD 

1 AE 

AF 

AG 

AH 1 

1 word 

29 

0 

0 

0 

0 

- 1 

0 

0 

0 

*28 (-1) 

30 

0 

0 

0 

0 

-1 

1 

0 

0 

X29 

31 

0 

0 

0 

0 

-1 

1 

0 

0 

X30 

32 

0 

0 

0 

0 

-1 

1 

0 

0 

X31 

33 

0 

0 

0 

0 

-1 

1 

0 

0 

*5 

34 

0 

0 

0 

0 

-1 

1 

0 

0 

Xu. 

35 

0 

0 

0 

0 

-1 

1 

0 

0 

x 26 

36 

0 

0 

0 

0 

-1 

1 

0 

0 

A, 8 

37 

0 

0 

0 

0 

j<12 

1 

0 

0 

An 

38 

0 

0 

0 

0 

1^ 12 

0 

0 

0 

A 28 (+l) 


Step 29 In this step we have a difference in the applied message word A 2 s, 
respectively ^28- From the definition of the step operation (see the Appendix) 
and using E ' 3 = E 3 ,F^ = F 3 ,G ' 3 = G 3 ,H ’ 3 = H 3 ,A ' 4 = A 4 ,B ' 4 = B 4 ,C ' 4 = 
C 4 , D ’ 4 = D 4 it follows that 

e 4 — E 4 — X 28 - X' 8 = -1 . 

Step 30 From the definition of the step operation it follows that 

F 4 —F 4 = ( f(G 3 , H 3 , a 4 , b 4 , C 4 , d 4 , f 4 )) >>7 -(/(g 3 , h 3 , a 4 , B 4 , C 4 , D 4 , E' 4 )) >7 . 

If we now use the definition of the non-linear function / (see the Appendix) and 
insert the values of E 4 ,E 4 ,F 4 , F 4 we can rewrite this as 

1 = (G 3 ® B 4 C 4 © H 3 D 4 ® A4C4 © A 4 ) >7 — (-B4C4 ®H 3 D 4 ® A 4 C 4 0 A 4 ) >7 . ( 1 ) 
Step 31 We require that G 4 — G 4 = 0. That means, 

(f(H 3 , A 4 , B 4 , C 4 , D 4 , E 4 , F 4 )) >>7 - ( f(H 3 , A 4 , B 4 , C 4 , D 4 , E' 4 , F^)) >>7 = 0 . 
Using the definition of / and inserting the values of E 4 ,E 4 ,F 4 , F 4 we get 
(A 4 © C 4 D 4 © B 4 D 4 © S 4 ) >>7 = ( H 3 0 C 4 D 4 0 B 4 D 4 0 S 4 ) >>7 . 


This equation is satisfied when 


A 4 = H 3 


(2) 
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Step 32 We require that H 4 — H 4 = 0. That means, 

(/(Ai, B 4 , C a , D 4 , E 4 , F 4 , C 4 ))» 7 - (/(Ai, B 4 , Ci, C 4 , E 4 , F' 4 , G 4 )) >>7 = 0 . 

In the same manner as above we can derive the following equation: 

D 4 ® C 4 = B 4 . (3) 

Step 33 We require that A 5 — A' 5 = 0. Note that this is the first step of the 
second pass of the compression function so the non-linear function g is used (see 
the Appendix for the definition of the function g): 

(g(B 4 , Ci, C 4 , E 4 , F 4 , G 4 , .ff 4 )) >>7 - (g(B 4 , C 4 , D 4 , E' 4 , F 4 , G 4 , tf 4 )) >>7 = 0 . 
We obtain the equation 

C 4 H 4 ®C 4 = C 4 G 4 © H 4 . (4) 

Step 34 We require that B$ — B' 5 = 0. That means 

{g(C 4 , D 4 , E 4 , F 4 , G 4 , H 4 , A s ))» 7 - (g(C 4 , D 4 , E 4 , F 4 , G 4 , H 4 , A 5 )) >>7 = 0 , 
which is satisfied when 

D 4 A 5 ® H 4 = 0 . (5) 

Step 35 We require that C$ — C' 5 = 0. That means 

(g(D 4 , E 4 , F 4 , G 4 , H 4 , A b , -B 5 )) >>7 - (g(D 4 , E 4 , F 4 , G 4 , H 4 , A 5 , S 5 )) >>7 = 0 , 
which is satisfied when 

G 4 B 5 ® H 4 A 5 ®G 4 ®D 4 = 0 . ( 6 ) 

Step 36 We require that D$ — D' 5 = 0. That means 

(g(E 4 , F 4 , G 4 , H a , A 5 , B 5 , C 5 )) >>7 - (g(E' 4 , F 4 , G 4 , H 4 , A 5 , B 5 , C 5 )) >>7 = 0 , 
which is satisfied when 

H 4 C 5 ®A 5 B 5 ®H 4 ®G 4 = -l. (7) 

Step 37 In this step we need to obtain the right difference E$ — E' 5 = 1 <J2 . 

From the definition of the step operation it follows that 

E 5 -E' 5 = Ef 11 - E>>^ + (g(F 4 , Gi, H 4 , A 5 , B 5 , C 5 , T > 5 )) >>7 - 

(g(Fi, g 4 , h 4 , a 5 , b 5 , c 5 , Ds))» 7 . 

Using the definition of g and inserting the values of E 4 ,E 4 ,F 4 , F 4 we get 
T ^ 12 = —1 + {G 4 A 5 D 5 ® G 4 B 5 C 5 © G 4 A§ © A 5 C 5 © G 4 H 4 © S 5 F 5 n.. 

5 5 c 5 )» 7 - (G 4 A 5 D 5 © g 4 b 5 c 5 © G 4 A 5 © A 5 C 5 © g 4 h 4 © b 5 d 5 © 
B 5 C 5 © G 4 © -1) >>7 . ( 8 ) 
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Step 38 Finally, in this step we require that the difference in the F register 
disappears: F 5 — = 0. From the definition of the step operation we see that 

F,-F' = F> >u - + X 28 - X 28 + 

0 9{Ga , #4, A 6 , B 5 , C 5 ,D 5 , E 5 ))» 7 - (g(Gi, Hi, A s , B 5 ,C 5 , D s , E' 5 ))» 7 . 

Because F^ 11 — F^ 11 = 1 and X- 28 — X 28 = — 1 the requirement F 5 — F 3 = 0 
leads to the equation 

(g(Gi, Hi, A 5 , B 5 ,C 5 , D 5 , E s ))» 7 - (g(Gi, H 4 , A 6 , B s , C%, D 5 ,E' 5 ))» 7 = 0 , 
which is satisfied when 

B 5 H 4 ® C 5 = 0 . (9) 

Solution for the System of Equations 

The equations (1) to (9) which we derived above need to be satisfied in order to 
obtain an inner almost-collision. Therefore, we need a solution for an underde- 
termined system of 9 equations in 12 variables. It can be seen that the following 
set of register values constitutes such a solution: 

G 3 = l <<7 H 3 = 0 A 4 = 0 -B 4 = 0 C 4 = 0 .D 4 = 0 

G 4 = 0 #4=0 A 5 = -1 B 5 = -l C 5 = 0 D 5 = 1« 18 

Note that G 3 = 1 <7 is a solution to Gf 7 = 1, and D 5 = 1 <18 is a solution to 
—1 + # 5 >7 — ( D 5 ® — 1) >7 = 1 <12 . These two equations are derived from (1) 
and (8) respectively by inserting the values given for the other variables. 

As previously seen we also have E 4 = —1 and F 4 = 0. Fixing these 14 register 
values, in order to generate an inner almost-collision, also determines the values 
of some words of the message block {Xi}. For example, 

x 30 = g 4 - G> >n - (:/(# 3 , Ai, b 4 , Ci, d 4 , Ei, F 4 ))» 7 . 

This follows from the definition of the step operation. In the same way, the 
message words X 34 , X 3 , X 44 , X 2 6, and X 48 are determined. The values for these 
message words are as follows (in hexadecimal notation): 

X 30 = f 0000000* 

X 3 i = 00000000^ 

X 5 = badTdeigj, 

X 14 = 07216088* 

X 26 = 41ab9931* 

Xi 8 = cblaf394* 

Note that we get the same values X' = Xi when we use the alternative 
register values G 3 , H 3 , A 4 , B 4 , C 4 , D 4 , E 4 , F 4 , G 4 , H 4 , A' 5 , B' 5 ,C' 5 , D' 5 in the com- 
putations (only E' 4 and F' A are different). Six words of the message blocks {X,} 
and (X'} are now determined. We still have a free choice for the remaining 26 
words of these message blocks in phase II of the attack, as described in Section 4. 
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Other Solutions for the System of Equations 

As an alternative for the solution given above, different solutions for the system 
of equations (1) to (9) can be found. In general, for an arbitrary choice of two 
32-bit values Q i and Q 2 , the following set of register values is a solution for the 
system of equations (and leads to an inner almost-collision): 

G 3 = (1 + Qf 7 )« 7 © Q 1 G 4 = (Q>> 7 - 1« 12 - 1)« 7 ©Q 2 ©- 1 
H s = Qi H 4 = 0 

a 4 = q x a 5 = (q>> 7 -i <<12 -i) <<7 ®<?2 

b 4 = 0 b 5 = - 1 

c 4 = 0 c 5 = 0 

D 4 = 0 -D5 = Q 2 

Note that for Qi = 0 and Q 2 = 1 <18 this reduces to the solution given earlier. 
For any choice of Q 1 and Q 2 a specific set of register values is obtained, and 
hence also a specific set of message words X30, A 31 , X 5 , X 44 , X 26 , and X 3 g. 
However, in those cases where bit 12 of Q 2 is equal to 1 (starting the count from 
the least significant bit position), the differential attack of Section 4 does not 
work. Solutions with bit 12 of Q 2 equal to 0 (leading to a successful differential 
attack), are called admissable inner almost-collisions. 2 63 different admissable 
inner almost-collisions can be generated, but only one of them is needed for the 
next phase of the attack. 

4 Differential Attack 

In the second phase of the attack we perform a differential cryptanalysis (the 
technique of differential analysis was first applied to hash functions in [1]). We 
consider the part of the compression function between step 38 and step 69. We 
have an input difference Z\ 38 = (0, 0, 0, 0, 1 <12 , 0, 0, 0) (from the first phase of 
the attack) and require that A 69 = (0,0, 0,0, 0,0, 0,0). Table 2 below shows the 
difference propagation for this phase of the attack. For the E register we have the 
following differences: E 5 -E' 5 = 1 <<V2 ,E 6 -E' 6 = 1 « 1 ,E 7 -E(. = 1« 22 , £ s -££ = 
l <n , Eg — Eg = 0. For the other registers all differences must be zero. 

There are two different cases for the computation of the probability of a 
difference propagation through a step. The content of the E register is updated 
in steps 45, 53, 61 and 69. In step 45 for example we compute 

E 6 = E> >n + ( g(F 5 , G 5 , H 5 , An, B e , C 6 , £> 6 ))» 7 + X x + K 12 , 

Eg = E'> >n + ( g(F 5 , G 5 , H 5 , A 6 , B 6 , C 6 , D 6 ))» 7 + X 4 + K 12 . 

Hence, we see that the difference 

E 6 - E' (i = Ef n - A' >>n , 

and we require E 5 — E' 5 = 1 <12 and E e — E' 6 = 1 <1 (the difference gets rotated 
by 11 bit positions to the right). This happens with a probability which is close 
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Table 2. Overview of the difference propagation through the registers. The shown 
difference values are the values after the corresponding step has been executed. We 
also list the message word applied in each step. Note that AA = A — A ' , AB ~ B — B' , 
etc. Entries in bold face show which register has been updated in a particular step. 


Step | A A 

1 AB 

AC 

AD 

1 AE 

AF 

AG 

AH 1 

1 word 

38 

0 

0 

0 

0 

-L<CU! 

0 

0 

0 

X 28 (+l) 

39 

0 

0 

0 

0 

]^<K12 

0 

0 

0 

x 7 

44 

0 

0 

0 

0 

-1«12 

0 

0 

0 

X22 

45 

0 

0 

0 

0 

1« 1 

0 

0 

0 

X! 

52 

0 

0 

0 

0 

1 <K1 

0 

0 

0 

X 9 

53 

0 

0 

0 

0 

j<22 

0 

0 

0 

x 17 

60 

0 

0 

0 

0 

-j«22 

0 

0 

0 

x 13 

61 

0 

0 

0 

0 

r^ii 

0 

0 

0 

x 2 

68 

0 

0 

0 

0 

! <u 

0 

0 

0 

x 20 

69 

0 

0 

0 

0 

0 

0 

0 

0 

x 28 (+l) 


to 1. In the other steps we require that the difference in the E register does not 
spread to a different register. In step 46 for example we compute 

F 6 = F> >u + ( g(G 5 , H 5 , Ae, B 6 , C 6 , D 6 , £ 6 ))» 7 + X x + K 12 , 

Fq = F 5 » n + (g(G 5 , H 5 ,A 6 , Be, C 6 , D 6 , £'))» 7 + Xi + K 12 . 

Here the difference 

Fq—Fq s = ( g(G 5 , H 5 , Ae, B 6 , C 6 , D 6 , E 6 ))» 7 -(g(G 5 , H 5 ,A 6 , B 6 , C 6 , D 6 , E'))» 7 , 
and we require that Fq — Fq = 0 which is equivalent to 

g{G 5 , H 5 , Ah, B 6 , C 6 , D 6 , E 6 ) = g(G 5 , H 5 , A 6 , B 6 , C 6 , D 6 , £') . 

Using the definition of g we can derive the following condition: 

E 6 B 6 H 5 © E 6 C 6 = E' 6 B 6 H 5 © E' 6 C 6 , 

which is satisfied when Be © Cq =0 at those bit positions where Eq is different 
from Bg. Because E$ = E ' 6 + l^ 1 this happens with a probability of about 1/3 

^ H ~ D- 

By combining the probabilities for all steps we can estimate the global prob- 
ability for the propagation from step 38 up to step 69 as pg| « (1/3) 27 « 2 -42 - 8 . 
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The real probability is much lower however. This is partly because of the con- 
tents of the registers at the start of the differential attack 1 . Furthermore, the 
probabilities for consecutive steps strongly depend on each other (because every 
step changes the value of only 1 out of 8 registers). If we consider a sequence of 
8 steps, experiments show that the probability is about 2 -9 which is better than 
(1/3) 7 2 -111 . For the complete propagation from step 38 to step 69 we found 

the estimation 

f>69« 2- 29 . 

The differential attack can be performed as follows. In the previous section 
we saw that X 30 , X 3 i, X 5 , Xi 4 , X 2 6, and X J8 are determined in order to get the 
right input difference A38. We can now randomly choose the remaining 26 words 
and calculate forwards to step 69, starting from the known register values £4, 
£4, G 4 , H 4 , A 5 , £5, C5, D 5 (or E 4 , F 4 for the second message block). If the 
difference after step 69 is equal to 0 for all registers then we have a collision 
and this happens on average after 2 29 trials. There is one however one more 
complication which we describe below. 


Matching the Initial Value 

When all message words X, are determined we can also compute backwards in 
pass 1 of the compression function, starting from the known register values G 3 , 
H 3 , A 4 , B 4 , C 4 , D 4, £4, £4. This is done by inverting the step operations. For 
example, inverting step 30 gives us 

*3 = (F 4 - ( f(G 3 , H 3 , A 4 , £4, C 4 , D 4 , E 4 ))» 7 - X 29 )« n . 

In that way we finally obtain the register values (Aq. . . . , He). However these 
values should be equal to the initial values specified for the algorithm (see the 
Appendix). This can be solved as described below. First note that there is one 
sequence of 8 message words, which are applied in consecutive steps in pass 1 of 
the compression function, and none of which have been determined in phase I 
of the attack (for obtaining an inner almost-collision) . This sequence of message 
words is the sequence of X 6 , X 7 , . . . , X 13 (which is used in steps 7 to 14) and it 
will be used to match the correct initial values. 

In our differential attack we randomly choose values for 18 message words 
(as before but excluding the 8 words needed to match the initial values). We also 
know the fixed values for the words X 3 q , X31, X5, X- i4 . X 2 e, X 18 (determined by 
phase I of the attack). Now we compute backwards in pass 1 of the compression 
function down to the (inverted) step 15 where X- 14 is applied. In this manner 
we derive the register values (Gi,Hi,A 2 ,B 2 ,C 2 ,D 2 ,E 2 ,F 2 ). Next we compute 
forwards starting from the correct initial values and up to step 6 where X5 
is applied. This gives us the register values (Go, £0, Ai, £1, Ci, £4, £1, £1) and 

1 Related to this, the reason that not all inner almost-collisions lead to a successful 
differential attack is that in some cases the contents of the registers are not suitable 
at the start of the differential attack. 
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now we can compute the required values for the message words Xe, X7, . . . , X - t 3 . 
For example, 

X 6 = G t - G> >n - (/(Ho, A u Hi, Ci y Di,Ei, F t )}» 7 . 

After we have matched the specified initial values for all registers (and thereby 
determined the values for all 32 message words X$) we check the differential at- 
tack between steps 39 and 69 as before and repeat the procedure until a collision 
has been found. On average we succeed after 2 29 trials, where a trial can be 
abandoned as soon as the difference propagation in a register is not correct. 
Note that the attack works equally well for the initial value specified for the 
algorithm or for any other initial value. A program that implements the attack 
runs on average in less than one hour on an Athlon 600MHz processor. Finally 
note that the number of collisions which can be generated, at least in theory, 
with this differential attack is equal to 2 547 , since we can freely choose 18 words 
(that is a maximum of 2 576 trials), and the success probability is about 2 -29 . 
Because there are 2 63 different admissable inner almost-collisions to start from, 
the total number of collisions which can be generated by our attack is equal to 
2547+63 _ 2610 


5 Example Collision for 3-Pass HAVAL 


We give an example of two message blocks that are hashed by the compression 
function of 3-pass HAVAL to the same output value. This example has been 
checked using the reference implementation of HAVAL available at [2]. For both 
messages the computation starts from the initial value specified for the algorithm 
(this initial value is also used in [2]): 

A 0 = 60466089 * B 0 = 082ef a98* C 0 = 299f31d0* D 0 = a4093822* 

Eq = 03707344* F 0 = 13198a2e* G 0 = 85a308d3* H 0 = 243f 6 a 88 * 


The first message block is: 


X 0 = 94c0875e* 
X 4 = b00c36e4* 
X 8 = ad0dea24* 
X 12 = b2844d83* 
X 16 = 507ea2cl* 
X 20 = bba7fb8c* 
X 2 4 = 993aeal3* 
X 28 = f 704baf c* 


Xi = dd25f 63e a 
X 5 = bad7del9 a 
Xg = a7elee7c a 
X 13 = b8d498eb a 
X 17 = c2d94121 a 
X 2 i = 6 daee 6 aa a 
X 25 = 3ccfab88 a 
X 29 = b60635de a 


X 2 = f 5d09361 a 
V 6 = 32a68bb5 a 
X 10 = 617b92dd a 
X 14 = c72f ec 88 a 
Xig = cblaf 394 a 
X 22 = 04f c029f a 
X 2e = 41ab9931 a 
X 30 = f 0000000, 


X 3 = b51db8b2* 
X 7 = c5af f 25d* 
Xu = f 9da283d* 
X 15 = 8f467c05* 
X 19 = 036daf 20* 
X 23 = d37c05f 4* 
X 27 = 3c7cae0c* 
X 31 = 00000000* 


and the second message block is determined by 


X[ = Xi (0<i <31,f^28), 

a: 2 8 = x 28 + 1 . 


For these two message blocks, the compression function computes the follow- 
ing common output value (note that this computation includes the feed-forward 
operation at the end): 
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A = If 467580^ B = 7618C292., C = e5220b62 a; D = 77ea845b a; 

E = ef 9f d8dea; F = 41ec28af a; G = 5205cb85 x H = 260412c4a; 

The complete hash function includes an additional application of the com- 
pression function, starting from the output value given above. For both messages 
the same padding block is used as message input for this final application of the 
compression function, therefore a collision is obtained in the final hash result: 

A = 7d476278a; B = f 603a907 a; C = 6d985f ef* D = 4b5e66b7 x 

E = b6541db5 x F = 16ccd71d x G = e8f 9cf 7c x H = 141e38e2 x 

Note that the algorithm converts this set of words into a string of 32 bytes, 
starting with the least significant byte of H and ending with the most significant 
byte of A (see the Appendix). 

6 Conclusions 

We have shown a practical attack for generating collisions in 3-pass HAVAL and 
believe that this version of HAVAL should no longer be used in applications 
where a collision-resistant hash function is required. The strategy for our attack 
is quite similar to the strategy that was used for the cryptanalysis of MD4 in [3] . 
Surprisingly, our result shows that the use of highly non-linear functions, which 
is the main focus of the design of HAVAL, does not result in a hash function 
which is significantly stronger compared to MD4 (note that MD4’s compression 
function also has 3 passes but only 16 steps in each pass). We believe that it 
may be possible to extend our techniques in order to generate predictable output 
differences in the 4-pass version of HAVAL but further research is needed to 
examine this. 
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Appendix 

In this appendix we give a description of HAVAL and explain the notations that 
are used in this paper. Not all of the details are fully described: for a complete 
specification see [12]. HAVAL is defined as the iteration of a compression function 
which we specify below. Each application of this compression function uses eight 
words as initial value and 32 words of the message as input, and produces eight 
words of output which are then used as initial value for the next application 
of the compression function. All words have a length of 32 bits (4 bytes). The 
initial value to be used in the first application of the compression function is 
specified as follows (hexadecimal notation): 

IV = 60466089* 082ef a98* 299f 31d0* a4093822* 

03707344* 13198a2e* 85a308d3* 243f6a88* . 

Note that there is a padding rule that appends bytes to the message so that its 
length becomes a multiple of 128 bytes (32 words x 4 bytes/word). The added 
bytes include a representation of the length of the original message. The little 
endian-convention is used to transform the message (sequence of bytes) into a 
sequence of words. 

The compression function uses three non-linear functions, each of which takes 
seven words of input and produces one word of output: 

f(Ze, Z§, Z 4 , Z 3 , Z 2 , Z\,Zq) = Z 2 Z 3 ® ZqZq ® Z§Z\ © Z^Z2 © Z± , 
g(Zft, Z§, Z 4 , Z 3 , Z 2 , Z\, Zq) = Z 3 Z 5 Z 0 © Z 5 Z 1 Z 2 © Z 3 Z 5 © Z 3 Z 1 © 

Z 5 Z 4 © Z 0 Z 2 © Z 1 Z 2 © ZqZ$ © Zq , 

h(Z^, Z§, Z 4 , Z 3 , Z 2 , Z\, Zq) = Z^Z^Zq © Z 5 Z 2 © ZiZ\ © ZqZq © ZqZ% © Zq . 

Here Z,Zj denotes the Boolean AND function of Z, and Zj, and ■Z) © Zj denotes 
the Boolean exclusive-OR function of Z, and Z. r Note that the functions /, g 
and h operate at bit-level: they can be performed independently at each of the 
32 bit positions in the words. 
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Let ff(Z 7 , Z 6 , Z 5 , Z 4 , Z 3 , Z 2 , Z u Z 0 , X), gg(Z 7 , Z 6 , Z 5 , Z 4 , Z 3 , Z 2 ,Z 1 ,Z 0 , X ) 
and hh(Z 7 , Z e , Z 5 , Z 4 , Z 3 , Z 2 , Z 7 ,Z 0 , X) be equivalent to 

Z> >n + ( f(Z 6 , Z 5 , Z 4 , Z 3 , Z 2 , Z 1 ,Z 0 ))» 7 + X , 

Z> >n + ( g(Z 6 , Z B , Z 4 , Z 3 , Z 2 , Z 1 ,Z 0 )) >>7 + X , 

Z> >n + ( h(Z 6 , Z 5 , Z 4 , Z 3 , Z 2 , Z^Zq))^ + X , 

where (-) >s denotes rotation (circular shift) over s bit positions to the right, 
and + denotes addition modulo 2 32 . 

Suppose that the initial value (A 0 . B 0 , Co, D 0 , E 0 , F 0 , Go, H 0 ) is given. Then 
the compression function applies the following 96 steps (three passes of 32 steps 
each) : 

PASS 1 STEP 


Ai 

= ff(A 0 ,B 0 

,C 0 , 

Do 

,Eo 

,F 0 , 

Go, 

Ho 

■ xoi 

(1) 

B x 

= ff(B 0 ,C 0 

,D 0 . 

,Eo, 

,F 0 

, Go, 

,H 0 , 

,Ai 

,Xi) 

(2) 

Ci 

= ff(Co,D 0 

;E 0 , 

,F 0 , 

Go 

,H 0 

, Ai, 

,Bi 

,X 2 ) 

(3) 

Di 

= ff(D 0 ,Eo 

1 ,Fo, 

Go, 

Ho 

,, Ai 

,B V 

,Ci 

,X 3 ) 

(4) 

Ei 

= ff(E 0 ,F 0 

, G 0 , 

H 0 , 

Ai 

,Bt 

,Ci, 

Di 

,X 4 ) 

(5) 

Ft 

= ff(F 0 ,G 0 

,H 0 , 

. Ai. 


,Ct 

,Di, 

,Ei 

,X 5 ) 

(6) 

Gi 

= ff(G 0 ,H c 

1 , Ai 

,Bi 


,Di 

,Ei 

,Fi 

,x 6 ) 

(7) 

Hi 

= ff(H 0 ,Ai 

,Bi 

,Ci, 

,Di 

,Ei 

,Fi, 

Gi 

,X 7 ) 

(8) 

a 2 

= ff{Ai,Bt 

,Ci, 

Di, 

,Ei 

,Fi, 

Gt, 

Hi 

,X 8 ) 

(9) 

b 2 

= ff(Bi,Ci 

,Di, 

,Ei, 

,Fi 

,Gi, 

r Hi, 

,a 2 

,X 9 ) 

(10) 

c 2 

= ff(Ct,Di 

,E V 

,Fi, 

Gi 

,Hi 

,a 2 , 

,b 2 

,X W ) 

(11) 

d 2 

= ff(Di,Ei 

,F U 

Gi, 

Hi 

,a 2 

,b 2 , 

,c 2 

,Xu) 

(12) 

e 2 

= ff(Ei,Fi 

,Gi, 

Hi, 

,M 

,b 2 

,c 2 , 

d 2 

,X U ) 

(13) 

f 2 

= ff(Fi,Gi 

,Hi, 

1 A 2 , 

b 2 

,c 2 , 

,D 2 , 

) E 2 

,Xis) 

(14) 

g 2 

= ff(Gt,Hi 

.,a 2 

,b 2 

,c 2 

,d 2 

,e 2 

, f 2 

,x u ) 

(15) 

h 2 

= ff(Hi,A 2 

:,B 2 

,C 2 

,D 2 

!) E 2 

,f 2 , 

g 2 

,x i5 ) 

(16) 

^3 

= ff(A 2 ,B 2 

,c 2 , 

D 2 . 

,e 2 

,f 2 , 

g 2 , 

h 2 

,Xi 6 ) 

(17) 

B 3 

= ff(B 2 ,C 2 

,d 2 , 

> E 2 , 

,f 2 

,g 2 , 

Hi. 

,Aa 

,Xi 7 ) 

(18) 

C 3 

= ff(c 2 , d 2 

,e 2 , 

,f 2 , 

g 2 

,h 2 

,A 3 , 

,b 3 

,x 18 ) 

(19) 

D 3 

= ff(D 2 ,E 2 

:,F 2 , 

g 2 . 

h 2 

, ^3 

,B 3 

> c 3 

, -^ 19 ) 

(20) 

e 3 

= ff(E 2 ,F 2 

,g 2 , 

h 2 , 

A ;i 

,B 3 

,c 3 , 

d 3 

,^ 20 ) 

(21) 

f 3 

= ff(F 2 , G 2 

,h 2 , 

, A 3 , 

b 3 

,c 3 . 

,d 3 , 

,e 3 

,x 2 i) 

(22) 

g 3 

= ff(G 2 ,m 

>.,A 3 

,b 3 

,C 3 

,D 3 

,e 3 

,f 3 

,X 22 ) 

(23) 

h 3 

= ff(H 2 ,A 3 

B 3 

,C 3 

,d 3 

„e 3 

,f 3 , 

g 3 

,X 23 ) 

(24) 

a 4 

= ff(A 3 , B 3 

,Ci, 

Do 

,e 3 

, f 3 , 

Gs, 

h 3 

,x 24 ) 

(25) 

b 4 

= ff(B 3 ,C 3 

,D 3 . 

i e 3 . 

,f 3 

,g 3 , 

, H 3 , 

M 

,x 25 ) 

(26) 
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<7 4 = ff(C 3 , D 3 , E 3 , F 3 , G 3 , H 3 , A 4 , B 4 , X 26 ) (27) 

D 4 = ff(D 3 , E 3 , F 3 , G 3 , H 3 , A 4 , B 4 , C 4 , X 27 ) (28) 

F 4 = ff(E 3 , F 3 , G 3 , H 3 , A 4 , B 4 , C 4 , D 4 , X 28 ) (29) 

F 4 = ff(F 3 , G 3 , H 3 , A 4 , B 4 , C 4 , D 4 , E 4 , X 29 ) (30) 

G 4 = ff(G 3 , H 3 , A 4 , B 4 , C 4 , D 4 , E 4 , F 4 , X 30 ) (31) 

H 4 = ff{H 3 , A 4 , B 4 , C 4 , D 4 , E 4 , F 4 , G 4 , X 31 ) (32) 

PASS 2 STEP 

-45 = gg(A 4 , B 4 , Cl, d 4 , e 4 , f 4 , g 4 , h 4 , X 5 + K 0 ) (33) 

B 5 = gg(B 4 , c 4 , C 4 , E 4 , F 4 , G 4 , H 4 , A 5 , X 14 + K 4 ) (34) 

C 5 = gg(C 4 , D 4 , E 4 , F 4 , G 4 , H 4 , A 5 ,B 5 , X 26 + K 2 ) (35) 

D 5 = gg(D 4 , E 4 , F 4 , G 4 , H 4 , A 5 ,B 5 , C 5 , X 18 + K 3 ) (36) 

E 5 = gg(E 4 , F 4 , G 4 , H 4 , A 5 , B 5 , C 5 , D 5 , X n + K 4 ) (37) 

F 5 = gg(F 4 , G 4 , H 4 , A s , B 5 , C 5 , D 5 , E 5 , X 28 + K 5 ) (38) 

G 5 = gg(G 4 , H 4 , A 5 ,B 5 , C 5 , D 5 , E 5 , F 5 , X 7 + K 6 ) (39) 

H 5 = gg(H 4 , A s , B s , C 5 , D & , E 5 , F 5 , G 5 , X 16 + K r ) (40) 

A 6 = gg(A 5 , B 5 , C 5 , D 5 , E 5 , F 5 , C 5 , H s , X 0 + K 8 ) (41) 

B 6 = gg(B 5 , C 5 , D s , E 5 ,F 5 , C 5 , H 5 , As, X 23 + K g ) (42) 

C 6 = gg(C 5 , D 5 ,E 5 ,F 5 , G 6 , H 5 , As, Bs, X 20 + K w ) (43) 

D 6 = gg(D 5 ,E 5 , F 6 , G 5 , H 6 , As, B 6 , C 6 , X 22 + K 14 ) (44) 

E 6 = gg(E 5 , F 5 ,G 5 , H 6 , As, B 6 , C 6 , C 6 , X 4 + K 12 ) (45) 

Fe = gg(F 5 , G 5 ,H 5 , As, Be, C 6 , Ds, E 6 , X 10 + K 13 ) (46) 

Ge = gg(G 5 , He, As, Be, C 6 , D 6 , E 6 , F 6 , X 4 + K 14 ) (47) 

He = gg(H 5 , As, Be, C 6 , D 6 , E 6 , F e , Ge, X 8 + K 15 ) (48) 

A 7 = gg(A 6 , B e , C 6 , D 6 , E 6 , F e , G 6 , H 6 , X 30 + K 16 ) (49) 

B r = gg(B 6 , C 6 , D 6 , E 6 , F e , G 6 , H 6 , A r , X 3 + K 17 ) (50) 

C 7 = gg(Ce, D 6 , E 6 ,F 6 , G 6 , H 6 , A 7 , B r , X 21 + K 18 ) (51) 

D 7 = gg(D 6 , E 6 , F 6 , Ge, H 6 , A r , B 7 , C 7 , X 9 + K w ) (52) 

E 7 = gg(E 6 , F e , G 6 , H 6 , A r , B r , C 7 , D r , X 17 + K 20 ) (53) 

F 7 = gg(Fe, G 6 , H 6 ,A 7 , B 7 , C 7 , D 7 , E 7 , X 24 + K 21 ) (54) 

G 7 = gg(G 6 , H 6 , A 7 , B 7 , C 7 , D r , E 7 , F 7 , X 29 + iT^) (55) 

H 7 = gg(He, A r , B r , C 7 , D r , E 7 , F 7 , G 7 , X 6 + K 23 ) (56) 

A 8 = gg{A 7 , B 7 , C 7 , D 7 , E 7 , F 7 , G r , H r , X 19 + K 24 ) (57) 

B 8 = gg(B 7 , C 7 , D r , E 7 , F r , G 7 , H 7 , As, X 12 + K 25 ) (58) 

C s = gg(C 7 , D 7 , E 7 , F r , G 7 , H 7 , A 8 ,B 8 , X 15 + K 26 ) (59) 

D 8 = gg(D 7 , E 7 , F r , G 7 , H 7 , As, B s , C 8 , X 13 + K 27 ) (60) 

Es = gg(E 7 , F 7 , G 7 , ll 7 . As, B 8 , C 8 , D 8 , X 2 + K 28 ) (61) 
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PASS 3 


F 8 = gg(F 7 , G 7 , H 7 , A 8 , B 8 , C 8 , D 8 , E 8 , X 25 + K 29 ) (62) 

G 8 = gg(G 7 , H 7 , A 8 , B 8 , C 8 , D 8 , E 8 , F 8 , X 31 + K 30 ) (63) 

H 8 = gg(H 7 , As, B s , C 8 , D 8 , E 8 , F 8 , G 8 , X 27 + K 31 ) (64) 

STEP 

A 9 = hh(A 8 , B 8 , Cs, D s , E s , F 8 , G 8 , H s , X 19 + K 32 ) (65) 

Bg = hh(B 8 , C 8 , D s , Es, F 8 , G s , H 8 , A 9 , X 9 + K 33 ) ( 66 ) 

Cg = hh(C 8 , D 8 ,E 8 , Fs, G 8 ,H 8 ,A 9 ,B 9 ,X 4 + K 3 4 ) (67) 

D 9 = hh(D 8 , E s , F 8 , Gs, H 8 ,Aq , B 9 , C 9 , X 20 + K 35 ) ( 68 ) 

E 9 = hh(E 8 , F e , G s , H 8 , A 9 , Bg, C 9 , Dg, X 28 + K 36 ) (69) 

Fg = hh(F 8 , Gs, H 8 , A 9 , Bg, Cg, Dg, Eg, X 17 + K 37 ) (70) 

Gg = hh(G 8 , Hs, Ag, Bg, Cg, Dg, Eg, Fg, X 8 + K 38 ) (71) 

Hg = hh(Hs, A 9 , Bg, Cg, Dg, Eg, Fg, Gg, X 22 + K 3 g) (72) 

A 10 = hh(Ag, Bg, Cg, Dg, Eg, Fg, Gg, Hg, X 2 g + K 40 ) (73) 

-Bio = hh(Bg, Cg, Dg, Eg, Fg, Gg, Hg, A 10 , X 14 + K 41 ) (74) 

C w = hh(Cg,Dg, Eg, Fg, Gg, Hg, A 10 , B w , X 25 + K 42 ) (75) 

D W = hh{Dg, Eg, Fg, Gg, Hg, A 10 , B 10 , C w , X 12 + K 43 ) (76) 

-Eio = hh{Eg, Fg, Gg, Hg, Aio, Bio, ClO) -Dio, A”24 + H 44 ) (77) 

Eio = hh{Fg, Gg, Hg, Aio, Bio, Dio, Dio, Bio, A 30 + E 45 ) (78) 

Dio = hh{Gg, Hg, Aio, Bio, Dio, Dio, Bio, Bio, + K 48 ) (79) 

Bio = hh(Hg, Aio, Bio, Dio, Dio, Bio, Bio, Dio, A 26 + K 47 ) (80) 

An = hh(Aig, Bio, Dio, Dio, Bio, Bio, Dio, Bio, -X 31 + K 48 ) (81) 

Bn = hh(Bio, Dio, Dio, Bio, Bio, Dio, Bio, An,X 15 + K 49 ) (82) 

Du = hh(Cw, D w , Bio, Bio, Dio, H w , An, Bn, X 7 + K 50 ) (83) 

Dn = hh(Dio, Bio, Bio, Dio, Bi 0 , An, Bn, Cn,X 3 + B 51 ) (84) 

En = hh(Eio, Eio, Dio, Bi 0 , An, Bn, Cn, Dn, X 4 + K 52 ) (85) 

E n = M(Eio,Dio,Bio,An,Bn,Dii,Dn,Eii,Xo + B 5 3) ( 86 ) 

Gn = hh(Gio,Hio,An,Bn,Cn,Dn,Eii,Fn,Xi 8 + K 54 ) (87) 

Bn = ^(Bio, An, Bn, Dn, Dn, En, En, Gn, ^27 + ^55) ( 88 ) 

An = hh{A u , Bn , Dn , Dn , En , En , Dn , Bn , X13 + B 56 ) ( 89 ) 

B12 = hh(Bn, Dn, Dn, En, Bn, Dn, Bn, Ai 2 , X 6 + K 57 ) ( 90 ) 

Di2 = M(Dn , Dn , Eu , En , Dn , Bn , A i2 , B X2 , X 2x + B 58 ) ( 91 ) 

D12 = M(Dn, En, En, Dn, Bn, A12, B12, D12, A'io + K 59 ) ( 92 ) 

Ei 2 = hh(En,Fn, Dn, Bn, A12, B12, D12, Di 2 , X 23 + K eo ) ( 93 ) 

El 2 = hh(F n , Dn, Bn, A i2 , B i2 , C a , D i2 , E X2 , X u + K 61 ) ( 94 ) 

D12 = hh(Gn, Bn, Aw, Bi 2 , C 12 , D X2 , E X2 , F X2 , X 5 + B 62 ) ( 95 ) 

Bi 2 = hh(Hn, A12, B12, D12, D12, E x2 , Ei 2, 012, AT 2 + B 63 ) ( 96 ) 
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The values K, used in the last two passes are 32-bit constants derived from the 
fractional part of n. Finally, the eight-word output of the compression function 
is computed with a feed-forward of the initial value: 

A = Aq + A 12 B = B 0 + B 12 C = Co + C 12 D = Do + D\2 
E = Eo + E 12 F = Fo + F 12 G = G 0 + G\2 H = Ho + H 12 

The obtained words (A, B, C. D, E, F, G, H) serve as initial value for the next 
application of the compression function. If this was the final use of the compres- 
sion function (the last 32 words of the padded message have been processed), 
the concatenated 256-bit value H ||G||F||.E||.D||C'||.B|| A serves as hash value of the 
message, where the little endian-convention is used to transform the sequence of 
words into a sequence of bytes (the first byte is the least significant byte of H 
and the last byte is the most significant byte of A). There is an optional output 
transformation which allows to reduce the length of this hash value to 128, 160, 
192 or 224 bits. 
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Abstract. Group signature schemes are fundamental cryptographic 
tools that enable unlinkably anonymous authentication, in the same fash- 
ion that digital signatures provide the basis for strong authentication 
protocols. In this paper we present the first group signature scheme with 
constant-size parameters that does not require any group member, in- 
cluding group managers, to know trapdoor secrets. This novel type of 
group signature scheme allows public parameters to be shared among 
organizations. Such sharing represents a highly desirable simplification 
over existing schemes, which require each organization to maintain a 
separate cryptographic domain. 

Keywords: Group signatures, privacy and anonymity, cryptographic 
protocols. 


1 Introduction 

Group signatures allow group members to anonymously sign arbitrary messages 
on behalf of the group. In addition, signatures generated from the same signer 
are unlinkable, i.e., it is difficult to determine whether two or more signatures 
were generated by the same group member. In case of dispute, a group manager 
will be able to open a signature and incontestably show the identity of the signer. 
At the same time, no one (including the group manager) will be able to falsely 
accuse any other member of the group. 

Group signatures were introduced by D. Chaum and E. van Heyst [16] in 
1991. That was followed by several other works, but only relatively recent ones 
[3,10,11] have group public keys and group signatures with sizes that do not 
depend on the number of group members. (While in theory one always needs at 
least logn bits to uniquely identify n different users in any system, in practice 
log n is orders of magnitude smaller than the bit length of keys used in public 
key cryptography.) The scheme in [3] is the most efficient one and the only 
proven secure against an adaptive adversary. However, all the existing group 
signature schemes providing constant-size parameters require the group manager 
to know the factors of an RSA modulus. Sharing these factors among group 
managers of different organizations would compromise the security and/or the 
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trust assumptions of the entire scheme. This paper provides the first, affirmative 
answer to the question of whether it is possible to design trapdoor-free group 
signature schemes with public parameters that do not increase linearly in size 
with the number of group members. We have an informal proof of security for 
the scheme (along the lines of the proof in [3]), and sketch some arguments that 
might lead to a formal proof in the sense of [5], in appendix §B. 

1.1 Motivation 

Our schemes are useful when several distinct groups or organizations must inter- 
act and exchange information about individuals while protecting their privacy. 
Credential transfer systems (CTS) [14,15,19,17,23,9] are examples of such envi- 
ronments that can be built via group signature schemes [9]. Real-world scenarios 
for the use of CTS include the health-care industry, electronic voting, and trans- 
portation systems. In such cases, the added manageability and improved opti- 
mization opportunities permitted by the use of a single cryptographic domain 
for all participating organizations may outweigh other efficiency considerations. 
A CTS allows users to interact anonymously with several organizations so that it 
is possible to prove possession of a credential from one organization to another. 
Different transactions cannot be linked to real identities or even pseudonyms. 
It is then impossible to create profiles of users even if the organizations col- 
lude and, at the same time, users cannot falsely claim to possess credentials. 
Optionally, a privacy officer is able to retrieve user identities in case of dis- 
putes or emergencies. Users can thus authenticate themselves with anonymous 
credentials, protecting their privacy while exercising their right to vote, obtain- 
ing health services or renting a GPS-tracked automobile. The efficiency of a 
single signature generation or verification is measured in the human time scale. 
Consequently, theoretical computational advantages become less important, and 
instead the administrative complexity and related costs are likely to be the over- 
whelming concern of implementers. In these situations, a scheme with shareable 
parameters has a definite advantage since it eliminates the need for specialized 
techniques such as the ones employed in [9]. 

Recently in [5], it has been shown that group signatures can be built based 
on the assumption that trapdoor functions exist. It would be interesting to show 
the same but based on the existence of one-way functions. Our scheme is the 
first to be functionally trapdoor-free as no group member, nor even the group 
manager, needs to know the trapdoor information. Even though we use an RSA 
ring and we rely on the strong RSA assumption for security, the operation of 
the scheme exploits only the one-wayness of the RSA function, not its trapdoor 
properties. 

Organization of This Paper: The next section contains the definition of group 
signatures and the attending security requirements. In section §3 we give a high- 
level, intuitive description of our proposed scheme, and place it in the context 
of previous work. That section also introduces the cryptographic building blocks 
required for the scheme. The specific construction of our scheme takes all of 
section §4. A security analysis is provided in appendix §B. 
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2 Definition 

In this section we present our characterization of group signature schemes. In 
general, a group signature scheme is defined by a family of procedures: 

SETUP : A probabilistic algorithm that generates the group-specific parameters. 
The input to SETUP is the set of public parameters, which includes a security 
parameter, and its output are the group public key V and associated secret 
key S. 

JOIN : A prospective member executes this protocol (interacting with the group 
manager) to join the group. The new member’s output is a membership certifi- 
cate and the corresponding secret. 

SIGN: A probabilistic algorithm that outputs a group signature when given 
as input a message, the group public key, a membership certificate, and the 
associated membership secret. 

VERIFY : A boolean- valued algorithm used to test the authenticity of signatures 
generated by SIGN. 

OPEN : An algorithm that given as input a message, a group signature on it, 
and the group secret key, extracts the membership certificate used to issue the 
signature, and a non-interactive proof of the signature’s authorship. 

2.1 Properties Required 

A group signature scheme must satisfy the following properties: 

Correctness: A properly formed group signature must be accepted by the veri- 
fication algorithm. 

Unforgeability: Without possession of a membership certificate, and knowledge 
of associated secret, it is computationally infeasible to produce a signature that 
is accepted by the verification algorithm. 

Anonymity/ Unlinkability: Given a group signature on a message, it is computa- 
tionally infeasible to determine which member generated the signature. More- 
over, given several group signatures on the same or different messages it is com- 
putationally infeasible to decide whether the signatures were issued by the same 
or by different group members. 

Exculpability: A signature produced by a group member cannot be successfully 
attributed to another, and the group manager cannot generate signatures on 
behalf of other group members (non-framing). 

Traceability: The group manager is “always” (with overwhelming probability) 
able to open a valid signature and determine which member signed it. Even if 
a coalition of group members collaborates to produce a signature on a message, 
possibly by combining their certificate secrets in some fashion, the group man- 
ager will succeed in attributing the signature to one of the colluding members 
(coalition-resistance) [3]. 
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The requirements of unforgeability and coalition-resistance are equivalent to 
the requirements that group membership certificates be unforgeable under pas- 
sive and active attacks, respectively, and only issuable by the group manager. 
In other words, a membership certificate should contain the equivalent of a dig- 
ital signature by the group manager. Similarly, the requirements of traceability 
and exculpability imply that the group signature should hide a regular digital 
signature issued by the member. 

These listed requirements are intuitive, but somewhat redundant: For in- 
stance, exculpability and traceability are clearly connected. In [5] the first for- 
mal model of group signature schemes was introduced, showing the relations 
between different requirements, and simplifying the task of proving the security 
of a group signature scheme. In that work, the authors claim that all security 
requirements of group signature schemes are derivable from two newly defined 
concepts: full anonymity and full traceability. 

The new model introduces two independent group managers, one in charge of 
group membership management tasks, such as adding to or removing members 
from the group, and another responsible for opening group signatures - i.e., re- 
vealing the identity of the signer. The first manager provides privacy by enabling 
users to sign and authenticate themselves anonymously (or more properly, as ar- 
bitrary group members), while the second manager provides accountability, by 
tracing authorship of group signatures back to the issuer when required. Com- 
promise of the first manager’s secret key permits one to enroll arbitrary signing 
keys in the group and issue signatures on behalf of these non-entities. However it 
does not allow one to trace authorship of signatures. Compromise of the second 
manager’s secret key allows one to trace authorship of signatures, but not to add 
new public keys to the group. 

Definition 1. Full anonymity (cf [5]): This is defined in terms of an adversarial 
game. The goal of the adversary is to defeat the anonymity by identifying the 
authorship of a group signature on a message. The game takes place in two 
stages. In the first (choose) stage, the adversary is given access to all members’ 
secret keys. It also has access to an OPEN oracle, which it can query to find 
the authorship of various group signatures. The output of the first stage is two 
member identities io and i\, a message m and some state information S. These 
are given as input to the second (guess) stage, in which the adversary is also 
given a group signature o on m, which is known to have been issued by either 
io or i\ with equal probability. The adversary can continue to query the OPEN 
oracle on signatures other than a. The output of this stage is a guess ib for the 
identity of the signer. The adversary is said to win this game if it can guess the 
correct signer with more than a negligible advantage over a random guess. The 
group signature scheme is fully anonymous if no efficient adversary can have a 
strategy for winning the game. 

Definition 2. Full traceability (cf [5]): The game is played by an adversary, 
also in two stages. In the first (choose) stage the adversary is given access to 
the second group managers’ secret key (the signature opening key) and can adap- 
tively corrupt as many group members as it wishes. Let C be the set of corrupted 



250 Giuseppe Ateniese and Breno de Medeiros 


members at the end of the first stage. State information (including the secret 
keys of the members of C) is used as input to the guess stage, during which the 
adversary attempts to produce a message m and a valid group signature a on m, 
such that if the (uncorrupted) OPEN protocol is invoked on ( m,a ), it will fail to 
attribute a to any group member in the set C. (Either the OPEN protocol would 
fail to produce a valid group member identity, or it would produce the identity 
of a member that has not been corrupted by the adversary.) The group signature 
scheme is said to be fully traceable if no efficient adversary can succeed in this 
game with non-negligible probability. 

Remark 1. We also require that the compromise of either /both of the keys does 
not permit one to misattribute a signature issued by a legitimate group mem- 
ber. (Enrolled before the keys are compromised.) This means in particular that 
a group signature scheme is not a key escrow mechanism. This approaches differ 
from the one taken in [5]. There, it is the case that the first group manager 
escrows the users’ secret keys - in particular users can be framed by compromis- 
ing the first manager’s secret key, which is equivalent to compromising all users’ 
secret keys. 

3 Preliminaries 

In the group authentication problem a holder U of a group certificate interacts 
with a verifier V to prove his status as a group member without revealing his 
certificate. If the interactive protocol can be made non-interactive through the 
Fiat-Shamir heuristic ([20]), then the resulting algorithm will be similar to the 
issuing of a group signature, except that C/’s identity may be unrecoverable from 
the signature alone. The issuing of a group signature requires, in addition to a 
proof of membership, that U verifiably encrypts some information about his 
certificate under the group manager’s public key. U must provide the verifier 
with an encrypted token and prove to V that the group manager is able to 
decrypt the token to reveal C/’s authorship of the signature. 

A group signature can be seen as a proof of knowledge of a group certificate 
which provides evidence of membership. The group certificate can be generated 
only by the group manager GM and should be difficult to forge. In other words, 
the group membership certificate has the effect of a signature issued by the group 
manager. In addition, it has to contain some secret information generated by the 
group member and unknown to GM to avoid framing attacks in which GM signs 
on behalf of other members. 


3.1 Modified ElGamal Signatures 

Nyberg-Rueppel signatures [25] are ElGamal-type signature variants originally 
designed to provide message recovery. Instead of a one-way hash function, mes- 
sage-recovery schemes use a redundancy function. The redundancy function R is 
an one-to-one mapping of messages into a so-called message-signing space Ms- 
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The image of R, denoted Mr, must be sparse within Ms i.e., given a random 
element of Ms, there is a negligible probability of it being in Mr. Otherwise, 
the message-recovery scheme is vulnerable to existential forgery attacks, as re- 
dundancy functions are, by definition, efficiently invertible. The following table 
assumes that Ms = Z*. Again, the signature calls for a random input k, and 
the output is a pair (r, s), where r = R(m)g~ k mod p, and s is computed as 
indicated in table 1. 


Table 1 . Nyberg-Rueppel signature variants. 


Variant 

Signing equation 

Message recovery (verification) 

I 

fc -1 (l + xr ) mod q 

R(m)=ry TS 1 g s 1 mod p 

II 

s = x~ 1 (—l + kr) mod q 

R(m) = ry sr 1 g r 1 mod p 

III 

s =s — xr + k mod q 

R(m) = ry r g s mod p 

IV 

— ./• + kr mod q 

R{m)=ry r 1 g sr 1 mod p 

V 

s = a: -1 (— r + k) mod q 

R(m) = ry s g T mod p 

VI 

s — k~ 1 (x + r) mod q 

R(m)=ry s 1 g a ±r mod p 


If in the equations above, the redundancy function /?,(•) is replaced by an one- 
way function then the message-recovery property is lost. On the other hand, the 
requirement that the image of the function be sparse in the signing space may 
also be dropped. This modified Nyberg-Rueppel scheme, as a signature scheme of 
short messages only, is (loosely) reducible to the hardness of discrete logarithm 
computations in the standard model. Alternatively, it is (loosely) reducible to 
the discrete logarithm in the random oracle model if extended to arbitrarily 
long messages through the hash-and-sign paradigm. Moreover, the form of the 
modified verification equation - if the one-way function is suitably chosen - 
lends itself to the construction of proofs of knowledge of signatures that are 
more efficient. (When compared to similar proofs for unmodified ElGamal-type 
signature variants.) 

We now describe the setting of our scheme. Let Q be some arithmetic group. 
Not all groups Q where Nyberg-Rueppel (or ElGamal) signatures make sense 
have the characteristics needed by our scheme. In section §4, we outline the 
specifics of the protocols in a suitable group, namely the subgroup of quadratic 
residues modulo a prime p, where p is simultaneously a safe prime, i.e, p = 2q+ 1, 
with q also prime, and a Sophie Germain prime, that is the number p = 2p + 1 
is prime. There are other choices for the group Q, see appendix §C for a simpler 
construction in certain RSA rings. 

Let Q be a suitable group. The order of Q may be a known prime or un- 
known composite number. Let g and gi be fixed, public generators for Q\ it is 
assumed that the discrete logarithm of g with respect to gi (and of gi w.r.t. g) 
is unknown to group members. Let y = g x be the public key of the signer GM, 
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with associated secret x. (In the group signature scheme, y corresponds to the 
certificate issuing key.) Finally, this signature scheme defines the message space 
M as the set of integers modulo q in the case of known order, and the set of in- 
tegers smaller than some upper bound otherwise. The signing space is Ms = G, 
and let the one-way function h(- ) : M —t Ms be defined by h(m) = g™. Clearly, 
h(- ) satisfies the requirements of a secure one-way function: h(-) is pre-image 
resistant by the hardness of computing discrete logarithms in Q. In the case of 
known order, it is further one-to-one, hence trivially collision-resistant. In the 
case of unknown order, finding a collision would reveal the order of Q, i.e., it is 
equivalent to factorization. 

The signing and verification algorithms of the modified Nyberg-Rueppel are 
as follows: 

Signing: r = g^g~ k (in G); (1) 

s = —xr + k (mod g); (2) 

Verification: g™ = ry r g s (in Q). (3) 

We have placed “mod q” within parenthesis as that reduction is only com- 

puted when the order of Q is a known prime. These signatures are issuable only 
by the signer GM, who is privy to the secret key x associated to y. Indeed, such 
signatures are loosely reducible, through a standard forking lemma argument 
[26], to the discrete logarithm problem. Please refer to appendix §B. 

3.2 High Level Description of the Scheme 

A prospective new member U who wishes to join the group must have first 
secured a digital signature certificate with some certification authority. U starts 
the join protocol by choosing a random, secret value u and computing Iu = 
More precisely, U and GM interact so that both contribute to the randomization 
of u, while its value remains secret from the GM. Then U constructs a zero- 
knowledge proof (of knowledge) of the discrete logarithm of the pseudonym Iu 
with respect to g\. U signs the pseudonym and the proof of knowledge of the 
pseudonym secret, and sends it to the GM to request a group membership 
certificate. 

GM verifies the signature against U’s public certificate and the correctness 
of the zero-knowledge proof. If both are well-formed, GM responds with the 
signature pair (r, s) on I U: which is technically GM’s signature on an message 
u known only to U. This is safe from the GM’s viewpoint because both GM 
and U contribute to the choice of the value it. It is imperative, however, that 
only U knows the value u, as it is in effect the secret key allowing U to use 
the membership certificate to issue signatures. The equations used by GM to 
generate (r, s ) are: 

r = Iug~ k (in G); s= -xr + k (mod q), (4) 

where fc is a random parameter of GM’s choice, and the reduction modulo q is 
applied only in the case of known order. U verifies the signature, checking that: 

Iu = ry r g s (in £). (5) 
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The scheme must permit U to prove knowledge of this certificate pair (r, s) 
without revealing any linkable function of r, s, or it. It must also allow GM 
to open the proof and show the identity of the group member. Both problems 
can be solved by employing a verifiable encryption of digital signature schemes. 
However, unlinkability between different protocol executions is not a requirement 
of verifiable encryption schemes, and indeed existing protocols for ElGamal-type 
signature schemes do not provide it. Hence, it would be possible to link two or 
more verifiable encryptions, which is equivalent to linking two or more group 
signatures from the same signer. This is because, in existing schemes, the first 
value r of the signature pair (r, s ) is revealed and the actual protocol is applied 
only to the second value s, reducing then the problem of verifiable encryption 
of a digital signature to the simpler problem of verifiably encrypting a discrete 
logarithm (see [8,1,22,2] for details). 

To solve this issue, it is necessary to ElGamal encrypt the value r as well, 
and prove in zero-knowledge that a Nyberg-Rueppel signature is known on a 
secret value u. More concretely, every time the group member must use the 
certificate, she encrypts the inverse of the value r, to get the ElGamal pair 
(Ri, R 2 ) = {r~ 1 y 2 , g 2 )- This encryption is under the second public key y 2 = g 2 of 
the group manager, used for opening group member signatures, with associated 
secret 0 . 

The group member also encrypts his pseudonym: (Yi,Y 2 ) = (IuV 2 , 9 2 )• No- 
tice that the product cipher is: 

(RiYuRiY,) = [lur-^'J^') = (y r 9 s yi +e ', 9 i +e ') (6) 

In order to prove knowledge of a membership certificate, the member U 
releases the above ElGamal encrypted pairs ( Ri,R 2 ) and (Yi,F 2 ) and proves 
that the product cipher encrypts some information which the signer can write 
in two ways, i.e., as the product /yr -1 for pseudonym I\j (for which the signer 
knows the corresponding pseudonym secret) and value r, and also as y r g s , for 
the same value r and some s known to the signer. In other words, the signer 
shows that an equation like (6) holds for the product cipher. 

To proceed, we must overcome a difficulty with equation (6): The value in 
the exponent is reduced modulo the order of the group Q, while the encrypted 
value r is an element of Q itself. The reduction function does not preserve group 
operations, it is not multiplicative; and the method for proving equality between 
an ElGamal-encrypted value and a logarithm, due to Stadler [28], cannot be 
directly applied. The solution is to employ a technique due to Boudot [7] that 
permits efficient comparison between logarithms in different groups. So we use 
an auxiliary group T of order compatible with the operations in Q. We release 
a commitment to the value r as an exponent of an element of J 7 , and we show 
that it equals (up to modular reduction), the exponent of y in the representation 
with respect to the basis {y, g} of the value ElGamal encrypted in the product 
cipher (RiY 1 ,R 2 Y 2 ). Next, we use Stadler’s technique to prove the equality of 
the encrypted value r (in the pair R\,R 2 of Q), with the value committed as an 
exponent in T. 
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To complete the sign protocol, the signer proves knowledge of the discrete 
logarithm to basis g of the value Iu which is ElGamal encrypted in the pair 
(Yi, Y 2 )- This shows that the group manager will be able to open the signature 
with just an ElGamal decryption operation. 

Proofs of Knowledge. In this paper we make use of several types of proofs 
of knowledge about various relations between secrets. All these proofs of knowl- 
edge have been presented elsewhere. In order to harmonize the notation, which 
varies from author to author, and make the paper self-contained, we include an 
appendix (§A) in which we reproduce these various results. 

4 The Scheme 

We now describe the scheme more concretely, starting with T, the set of shared 
public parameters. T specifies security parameters S, e, a, 02 , and r, and a 
secure hash function % that maps bit-strings of arbitrary length into bit-strings 
of fixed length r. A typical set of choices would be 6 = 40, a = 40, <r 2 = 552, 
r = 160, and %{■) = SHA-l(-). The parameter e should be larger than 1 by 
a non- negligible amount. These security parameters impact the security and 
efficiency of the various proofs of knowledge used in the scheme. (Notation as in 
appendix §A.) T also specifies an arithmetic group Q and three generators g, g\ 
and </ 2 of Q. 

In this section we assume that Q is the quadratic residues subgroup of the 
multiplicative residues module p, where p is simultaneously a safe prime, i.e., 
and p = 2q+l, with q also prime, and a Sophie Germain prime, i.e., the number 
p = 2p + 1 is prime. Primes p such that p = 2p + 1, and p = 2q + 1, with p 
and q also prime are called strong primes. (More generally, if p = mp + 1 and 
p = nq + 1 with small to, and n, are also called strong primes, but m = n = 2 
gives the most efficient scheme.) See [18,21] for efficient methods to generate 
such primes. In order to choose g it is enough to pick a random element g' in 
Z* and set g = g' 2 mod p, provided that < 7^1 mod p. The same procedure 
should be used to obtain gi and <? 2 . 

The scheme also requires an auxiliary group T of order p, which in this section 
will be chosen as the quadratic subgroup of the multiplicative residues modulo 
p. Furthermore, the scheme requires a second auxiliary group £ of unknown 
composite order h. A trusted party generates a composite modulus n, plus a 
proof P that n is the product of two safe primes. The group £ is defined as the 
quadratic residue subgroup of the multiplicative residues modulo n. The order 
of £ is the universally unknown number (j)(n ) /4. Group managers of competing 
organizations may all share the same modulus n, as the operation of the scheme 
does not require anybody to know the RSA trapdoor associated to n, and the 
trusted party may safely forget the factorization at its discretion. 

The above public parameters can be further certified if so desired. A proof 
of primality can be provided for each of the primes; as for g, g\ and <? 2 , anybody 
can verify their correct generation by testing that each is not congruent to 0 or 1 
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Table 2. Shared and group specific parameters. 


Shared parameters 

Security parameters: 5, e, a, oi, r; 
Secure hash function: H(-) : {0, 1}* — J- {0, 1} T ; 
p, p, q, primes s.t. p = 2p+l and p = 2g + l; 
Q = {x £ Z* : 3 a £ Z* s.t. x = a 2 mod pj ; 

^ = {x 6 Z| : 3 a € Z| s.t.; sjffp a 2 mod p} ; 

£ = {x € Z* : 3 a G Z* s.t. x = a 2 mod n} ; 
g, gi, and g2, generators of Q. 


Group-specific parameters 
S, a string including y and 2/2; 
CA's signature: CERTca(<S). 



Table 3. 

The JOIN protocol 

U — > GM 

Ju=I m 

mod p 

GM — > U 

a, b mod 

q 

U — f GM 

Sig v {Iu = 

- JuqI PK[u :Iu=g ?]) 

GM — U 

r = Iug~ k 

mod p, s = —xr + k mod q 


modulo p, and then verifying that each is a square, by computing the Legendre 
symbol and checking that: ^ j ^ j = 1. 

In order to setup a group using the shared parameters above, the group 
manager GM chooses x and z at random among the numbers [1,5 — 1] and set 
the public keys y = g x , and 1 J 2 = gi- The group manager should proceed to 
register these group-specific parameters with some certification authority. The 
GM would prepare a statement S containing (minimally) a description of the 
group signature algorithms, a reference to the shared parameters, GM' s name, 
the group-specific parameters y, y-\ , and 2 / 2 , and some timed information, such 
as start and expiration dates. The GM should obtain a certificate CERTc/i(<S) 
from the GA establishing the group-specific parameters. 

Let Sig v (-) denote C/’s signature algorithm. To join the group, a prospective 
member U chooses a random secret m in the interval [1, q — 1], computes Ju = 
g\ n , and sends this value to GM , who responds with two values a, and b in 
[1,5—1]. U computes his pseudonym as Iu = an d its associated secret 

u = am + b mod q. Next, U constructs a non-interactive proof of knowledge 
of the logarithm to basis g\ of this pseudonym (see appendix A), and also his 
signature S = Sig v (Iu , PK) on both the pseudonym and the proof-of-knowledge 
just constructed. U forwards to the GM this signature S. 

The GM now verifies that the pseudonym incorporated his contribution, i.e., 
Ijj = Jijg\- This step is important because u is unknown to GM, who must 
sign it. Since the GM contributed to u’s randomness, that does not constitute 
a threat to the GM' s signature algorithm. The GM also verifies the correctness 
of the proof-of-knowledge and U’s signature. If satisfied, the GM generates a 
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random k mod q, and computes r = lug k mod p, checking that r < c, where 
c equals: 

c=p- 2 a+T ' 2+2 y/p, (7) 

and repeating the process of computing other random k and r until such an r 
is found. Note that r < c with overwhelming probability in a single attempt, 
because since the quadratic residues are nearly uniformly distributed in the 
interval [1 ,p — 1], we have that r < c with probability close to 1 — 2 ” ^ — > 
1 — 2 -645 if the security parameters have the typical values 8 = 40, r = 160 and 
p has at least 768 significant bits. This very minor restriction on the possible 
values of r reflects requirements of the proof of equality of discrete logarithms 
in distinct groups, as we shall see later. After a suitable r is found, U computes 
s = k — xr mod q, and sends the certificate (r, s ) to U. The GM also records 
the signature S, which ties U’s identity to the certificate’s pseudonym. U verifies 
that the certificate (r, s ) satisfies the verification equation, and if so, accepts it 
as valid. 

We now describe the protocol SIGN. One goal of this protocol is that U 
convince a verifier V of its knowledge of a membership certificate (r, s ) as above. 
As in section §3, the signer chooses random £, and £', with 0 <£,£'< q. U 
releases the ElGamal encrypted pairs: 

(W,y 2 ) = {Iud,ggy, (RuR 2 ) = Xr^a I); 

Next, U demonstrates that the pseudonym I v is encrypted by the pair (Yi , Y 2 ), 
and proves knowledge of the pseudonym secret u, by executing PK[u,£' : Y\ = 
9 \U 2 A ^ 2 = gi ]• This step is crucial to prevent framing attacks against U, as 
not even the group manager can execute it without knowledge of u. 

Continuing with the SIGN protocol, U generates a fresh, random generator \ 
of the group T, and computes a (computationally zero-knowledge) commitment 
to the value r as Ex = E 1 (r, 0) = y r . In the language of appendix §A, this is 
a (degenerate) commitment to the value r in the group £F, with respect to the 
generator %• 

U also generates a commitment to r in the auxiliary group £ of unknown 
order. For that, U uses two generators 0 and 7 of £, where 0 and 7 are provably 
randomly generated, so that U cannot know their relative discrete logarithm. For 
instance, 7 and 0 can be generated as the squares of two consecutive values of a 
secure pseudo-random number generator SPRNG. The commitment is computed 
as E 2 = E 2 (r,s 2 ) = J r 0 S2 , where s 2 is a random parameter of f/’s choice: 
s 2 G [— 2* + ' r+1 , 2 K+r+1 ], where 2 K_1 < \£\ < 2 K . Notice that the value R\Y\ = 
Iur- l yt e = y r g s y 2 +e is also a commitment to the value r in the group Q, with 
generators y, g, and y 2 . Denote it by E 3 = R{Y\. 

In the next step, U reveals the commitments E\, E 2 , and the respective 
generators 7, 0, and (I 11 the case of 7 and 0, U must also reveal the seed 
of the SPRNG that leads to the computation of 7 and 0.) U then shows 
that Ei, E 2 and £3 all are commitments to the same value r. (Notice that 
we are following the efficient construction found in [7], repeated in detail here 
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for reasons of convenience.) U executes two proofs of equality of two com- 
mitted values (def. 10). In the first proof U sends V a triple (P,D',D[) sat- 
isfying: o' = / H(x\\'y\\P\\ E i\\ E 2 \\x D ' E i°' mod p\\') D ' (3 D 'E 2 C ' mod n). Again, 
refer to def. (10) for how to build these proofs. In agreement with the no- 
tation in appendix §A,we denote the above by PK[r,S 2 : E\ = Ei (r, 0) A 
E 2 = E‘ 2 {r, S 2 )]. Then U sends V a quintuple (c,D,Di,D 2 ,D 3 ) satisfying: 
c = ’H('y\\P\\y\\g\\y 2 \\E 2 \\E 3 \\ / y D fi Dl E 2 c mod n\\y D g D2 y 2 3 E^ c mod p\\g 2 3 (Y 2 
Il>) ~ c mod p). Denote that by PK[r, s,s 2 ,t : E 2 = E 2 (r, s 2 )AE 3 = E 3 (r, s, t) A 
Y 2 R 2 = g\\. 

If all of the commitments E\, E 2 , and E 3 took place within the same group 
the above would be a proof of equality of the committed exponent in each of the 
commitments. However, as the order of the groups differ, we have only proved 
knowledge of an integer value r which satisfies 

r = r x mod p, and r = r 3 mod q, (8) 

where rq and r 3 are, respectively, the exponents committed in E% and E 3 , while r 
is the exponent committed in E 2 . (As U does not know the order of £, it cannot 
set up a modular equation that the exponent of E 2 should satisfy, and must use 
the full integer value r.) U could cheat and pass the “proof” above for any two 
different values rq and r 3 , by setting r in E 2 to equal the solution, computed via 
the Chinese Remainder Theorem, to the pair of modular equations in (8). Thus, 
a non-member U' would be able to forge the proof of knowledge of a certificate, 
by choosing r 3 and s arbitrarily, computing the value rq that would make the 
certificate equation work, and then solving the pair of equations (8) for an r that 
reduces to rq mod p and r 3 mod q, respectively. In the cheating case, however, 
because rq ^ r 3 mod q, U' computes a value r > p as the solution of 8. Thus, if 
U' is required to prove that the value r 2 committed in E 2 is within an interval 
of width at most p, this forgery attack is prevented; and the commitments must 
all hide the same value. So to complete the “proof of equality of commitments in 
different groups,” U must construct a proof that the value r is restricted to an 
interval of width at most p. For that, U uses the fact that r < c, and constructs 
the proof of knowledge that a committed value lies in a slightly larger interval, 
def. (13): PK[r,s 2 : E 2 = E 2 (r,s 2 ) Are [-2 5 +^ 2 + 1 v ^, c + 2 l5 +^ 2 + 1 v ^]. 
To observe that the interval in question has width smaller than p, notice that 
its width equals 2 s+T / 2+2 ^/c < c + 2 s+T / 2+2 y/p = p, by choice of c (see 

equation 7). 

Finally, U must show that the exponent committed in Ei equals the value 
encrypted in the pair (Ri,R 2 ), by executing (definition 14): PK[r,t : E\ = 
X r A i?i = r~ 1 yl A W 2 = g\}. The actual protocol SIGN combines all the proofs 
of knowledge into a single signature of knowledge. This is done by simultaneously 
committing to all the inputs of the proofs and using the resulting challenge in 
all the verification equations (a la Fiat-Shamir). In addition, the message M to 
be signed is used as an extra input of the hash function. 

The protocol is summarized in table 4. Moreover, algorithm VERIFY can be 
derived immediately from the above formal description of SIGN as a proof of 
knowledge of a group certificate. 
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Table 4. The SIGN protocol 


Proof arguments : 


Yi, Y 2 , R lt R 2 , x , T , 13, Ei 

, and E 2 . 

Signature of knowledge: 

SPK[u,e,i,r,s,S2,t-.Y 1 = gfy l f 

A Y 2 = gi' 

II 

o? 

< 

k x 

II 

II 

ift 

< 

yi A R 2 = gi 

A E 2 = E 2 (r, s 2 ) = Y (3 s * A r £ 

1 y fc,c+ 2‘ 5+T/2 + 1 v g 

A E 3 = E 3 (r, s, t) = YiRi = y r g s y 2 A 

Y 2 R 2 =gi]{M) 


As for OPEN, it is enough that the group manager decrypts the pair (Yi, Y 2 ) 
to obtain the value Ijj and the corresponding group membership certificate. 
GM constructs a proof that I\j is indeed the value encrypted in (Yi, Y 2 ) without 
revealing the group secret x: PK[x : Yj/^ 1 = Yf A y 2 = g %] , a publicly verifiable 
proof of authorship of the signature. 

5 Conclusions 

In this paper we introduced the first group signature scheme with constant-size 
parameters that does not require any group members, including group managers, 
to know trapdoor secrets. Our scheme is not bound to a specific setting but it 
can work in various groups where the Decision Diffie-Hellman assumption holds: 
The appendix §C contains a simpler construction in an RSA ring. 

Our scheme is less efficient than the state-of-the-art scheme in [3]. However, 
the scheme in [3] requires the group manager to know trapdoor information 
which cannot be shared with other group managers, thus making it difficult to 
enable collaboration among distinct groups. 
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A Proofs of Knowledge 

All the proofs of knowledge listed in this section have been proved zero-knowledge 
in a statistical or computational sense within the random oracle model, under 
the Decisional Diffie-Hellman assumption, and the Strong RSA assumption, ex- 
plained below. 

Notation 1 (Groups and generators). 

— J stands for an arithmetic group, such as an RSA ring with composite 
modulus n or the group Z* of non-zero (multiplicative) residues modulo p. 

— g stands for an element of J of unknown composite order or known prime 
order. Let q be the order of g. 

— Let k be the smallest integer such that 2 K is larger than q. We assume that 
k is known, even if q is not. 

— g generates the subgroup Q of J. 

Let H stand for a secure hash function which maps arbitrarily long bit-strings 
into bit-strings of fixed length r. Let e denote a second security parameter. 

Definition 3 (Decisional Diffie-Hellman assumption (DDH)). Let J be 

a group and g an element of known prime, or unknown composite, order q in 
J. Let Q = {g) be the subgroup generated by g in J. The DDH assumption 
for Q is then there is no efficient (randomized, probabilistic) algorithm that can 
distinguish between the two following distributions in Q: 

{(h,i,j), where h. i.j a, re independently randomly distributed (i.r.d.) in Q} 

and 

{(h'.i'.j ), where h! = g x ,i! = g y , j' = g xy fori.r.d. x,ywith 0 < x,y < q} 

A triple of group elements such as ( h’ , i',j') above is called a Diffie-Hellman 
triple. The DDH assumption is thus the statement that there is no efficient 
algorithm to distinguish between Diffie-Hellman triples and randomly generated 
triples. 
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Definition 4 (Strong RSA assumption (SRSA)). Let n = pq be a compos- 
ite modulus, where p and q are two large primes. The strong RSA assumption 
states that there is no efficient (randomized, probabilistic) algorithm that, given 
as input n and an integer y, but not the factorization ofn, can produce two other 
integers u and e, where e > 1 and u e = y mod n. 

SRSA underlies the security of the proof of equality of logarithms in distinct 
groups (10). 

Definition 5 (Proof of knowledge of a discrete logarithm). U can prove 
to a verifier V his knowledge of an integer x in {0, . . . , 2 K — 1}, such that h = g x , 
by releasing integers s and c, with s in {— 2«(' r +'d+ 1 j . . . ) 2 e ( T+re ) +1 — 1} and c 
in (0, ...,2 T — 1}, s.t. c = n(g\\h\\g s h c ), where the symbol || denotes string 
concatenation. 

In order to compute the pair ( s , c), U generates a random integer k in {_ 2 e ( T + K )_ 

. . . , 2 € ( t+k ' ) — 1} and sets c = / H(g\\h\\g k ) , and s = k — cx (as integer). Denote it 
by (notation introduced in [11]): PK[x : h = g x ]. 

This proof of knowledge can be transformed into a digital signature, with x 
being the secret key associated with public key h. To sign an arbitrary bitstring 
m, we instead compute c as: c = %(g\\h\\g s h c \\m). Denote this signature of 
knowledge ([11]) by: SPK[x : h = g x ](m). 

Returning to the notation in definition (5), if the order q of the group Q is 
known, then operations on the exponents should be computed modulo q, and 
some statements about the size of parameters can be simplified. In the above we 
would substitute: 

x e {0, . . . , 2 K — 1} by x € {0, . . . , q — 1}, 
s € {— 2 e ( T+re ) +1 , . . . , 2 e ^+«)+i - 1} by s € {0, . . . , q - 1}, and 
s = k — cx (in Z) by s = k — cx mod q. 

In the following definitions we assume the group order q is unknown; as above, 
it is straightforward to adapt them to the case of known order. 

Definition 6 (Proof of knowledge of a common discrete logarithm). U 

can prove to a verifier V his knowledge of an x (with 0 < x < 2 K ) s.t. two lists 
• • • , ge and hi,h%, ■ ■ ■ ,h( (of elements of Q) satisfy hi = g x ,i = 1 . . .1, by 
releasing s and c (— 2 e ( T + re )+ 1 < s < 2 e ( T + K ) +1 and 0 < c < 2 T ) s.t. 
c = H(gi || . . . \\geWhiW. . . INKffi - -.gefpi\ ■ ■ ■ h e ) c ). 

U computes c = %{g\\\ ■ ■ ■ ||<^||/ii|| . . . ||/i^||(gi . . .ge) k ) for a randomly chosen k 
( — 2 e ( r + K ) < k < 2 € ( T+K '>), and sets s = k — cx. Denote it by: PK[x : hi = 
g x A • • • A hi = gf] . 

Definition 7 (Proof of knowledge of a representation). U can prove his 
knowledge of elements xi,...,xg (with 0 < a q < 2 K ) s.t. a given element A 
satisfies A = g Xl ■ ■ ■ gf e , by releasing Si and c (—2 e ( T+K ' ,+1 < Si < 2 e ( r+K ) +1 ; 0 < 
c< 2 t ; s.t. c=H(g 1 \\...\\g e \\A\\g s 1 1 ...g s /A c ). 
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Again, U computes c = ^{giW . . .\\gi\\A\\g^ . . . g^ 1 ) for randomly chosen 
ki{-2< T+K ) <ki < 2 e ( T+K )), and sets = ki — cxi- Denote it by: PK[x i, . . . , xt : 
a = 9i 

The next two proofs of knowledge assert that a committed value lies in an 
interval. The first one was introduced in [12], and corrected in [13]. The second 
one, which uses the first as building block, was introduced in [7], and is used in 
our scheme. 

Let g, h be two elements of Q. Assume that g and h are constructed in a 
provably random way, for instance as consecutive images of a secure pseudo- 
random generator. Generating g and h in such a way ensures that no one knows 
the discrete logarithm of g to basis h, or that of h to basis g. 

Definition 8 (Commitment to a secret value). Let x be a secret value 
held by U. Let g and h be two provably random generators of Q. We say that 
E = E(x,r ) = g x h r is a commitment to the value x in Q, where r is a randomly 
generated value, 0 < r < q. 

If q is unknown, then one must choose r in a larger interval, say — 2 K + T + 1 < r < 
2 K+r+1 , to ensure that all elements in the interval [0, q — 1] are sampled nearly 
uniformly. The commitment reveals nothing about r in a statistical sense. 

Let £ be a distinct arithmetic group of unknown composite order n. For 
instance, £ can be chosen as the subgroup of quadratic residues in an RSA ring. 
Let g = gi, g- 2 , h = hi, and /12 be provably random generators of £. We assume 
that the smallest integer A s.t. 2 X > n is known. Assume U has published two 
commitments, E = E\{x, r) = gfh] 1 in Q, and a second commitment E^ix. rf) = 
92 K 2 ■ 

Let 8, a and 02 be other security parameters. Assume further that x < b. 

Definition 9 (Proof of knowledge of a committed value). U can prove in 
ZK to a verifier V knowledge of a number x committed through E = E(x,r) = 
g x h r , by sending V a triple ( c,D,D \ ) satisfying: c = 'H{g\\h\\E\\g D h Dl E~ c 
mod n). 

U generates random t G [1,2 s+T / 2 b+ 1] and s G [1,2 s + T / 2 + (r n — i] ; computes 
W = g t h s mod n; computes c = 77 (fl| |/t| |T| |IT): and finally computes D = 
t + cx, D\ = s + cr (in Z). 

Definition 10 (Proof of equality of two committed values). U can prove 
in ZK to a verifier V that two commitments E\ = Ei(x,ri) and E 2 = Ei(ie,r^) 
hide the same exponent x, by sending V a quadruple (c, D, D\, D 2 ) satisfying: c = 
y.(9i\\hi\\g2\\h2 

\\E 1 \\E 2 \\gi h® 1 Ef c mod nWg^h^E^ 0 mod n). 

U generates the random values t G [1,2 s+T / 2 b+ 1], si G [1, 2 5+T / 2+cr n — 1], and 
S 2 G [1, 2 s+T / 2+(T2 n — 1]. Next, U computes W\ = g\h s fi mod n, W 2 = g^h^ 2 
mod n; and sets c = 77(gi[[hi||$2||h2||-Ei||Wi||W2). Finally, U computes D = 
t + cx, Di = si + cri, D 2 = S 2 + cr 2 (in Z). Denote this by PK[x, n, r 2 : E\ = 
Ei{x,n) A E 2 = E 2 (x,r 2 )\. 
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Definition 11 (Proof that a committed number is a square). U can 

convince a verifier V that the commitment E = E(x 2 ,r\) = g x h ri mod n 
(r\ £ [—2 a n + 1,2 a n — 1}) contains the square of a number known to U, by 
sending V the quintuple (F, c, D, Di, D 2 ), where c = / H(g\\h\\E\\F\\F D h Dl E~ c 
mod n\\g D h D2 F~ c mod n). 

Indeed, U generates a random r 2 in [—2 a n + 1, 2 a n — 1], and sets F = g x h r2 . 
Notice now that U can rewrite E in the basis {F, h} as E(x. r 3 ) = F x h r 3 mod n, 
where r 3 = ri — r 2 x, and r 3 £ [—2 a bn + 1 ,2 a bn — 1]. It is enough then for 
U to use the previous proof of equality of the exponent x committed though 
Ei = F = E(x,r 2 ) and E 2 = E = E{x,rf), i.e., execute PK[x, r 2 , r 3 : F = 
g x h r2 A E = F x h r3 ]. Denote this by PK[x,ri : E = E(x 2 ,ri)]. 

Definition 12 (Proof that a committed number lies in a larger inter- 
val). A prover U can convince a verifier V that a number x £ [0, b] which is com- 
mitted in E = E(x,r) = g x h r mod n (r £ [— 2 CT n + l, 2 a n—l)), lies in the much 
larger interval [— 2 CT+T / 2 6, 2 CT+T / 2 6], by sending V the triple (C,Di,D 2 ), where 
I), £ [cb,2 s+T ' 2 b- 1], andC ='H(g\\h\\E\\g D 'h D2 E- c )-c=C mod 2 T / 2 . 

U generates randoms s £ [0,2 5 + T / 2 b l], t £ [-2 5+T / 2+<7 n + 1,2 s + T / 2 +° n - 
1]; computes W = g s }d mod n; computes C = %(< 7 ||/i||£'||W), and c = C 
mod 2 T / 2 ; and sets Di = s + cx, D 2 = t + cr, repeating the procedure from the 
beginning if Di 0 [cb,2 5+T / 2 b — 1 ]. We denote the above by PKcft \x- r : E = 
E(x, r) Ax £ [—2 5+T / 2 b, 2 5+T / 2 b]]. 

Definition 13 (Proof that a committed number lies in a slightly larger 
interval). A prover U can convince a verifier V that a number x £ [a,b], com- 
mitted in E = E(x, r) = g x h r mod n (r £ [— 2 CT n+l, 2 CT n — l]) lies in the slightly 
larger interval [a — a, b+a], where a = 2 , '" r / 2 ” 1 \Jb— a, by releasing E\ . Ej . and 
proving: PK[x,r : E = E{x,r)\, PK[x\,f\ : E\ = E(x 2 ,ri)\, PK[x\,fi : Ei = 
E(x 2 ,ri)\, PK C FT[x 2 ,f 2 ■ E 2 = E(x 2 ,r 2 ) A x 2 £ [-a, a]], where E 2 = 
mod n, PKcFr[x 2 ,f 2 : E 2 = E(x 2 ,r 2 )Ax 2 £ [-a, a]], where E 2 = mod n. 

U computes E = E/g a mod n, E = g b /E mod n; sets x = x — a and x = b— x; 
computes x\ = [y/x — oj, x 2 = x — x 2 , x\ = \_\/b — x\, x 2 = x — x 2 \ generates 
random f\ and f 2 in [—2 a n + 1,2 a n — 1] s.t. f\ + r 2 =t r, and similarly f i, f 2 
s.t. fi + r 2 = — r; computes the commitments Ei = E(xf,ri), E 2 = E(x 2 ,r 2 ), 
Ei = E(x(. fi), and E 2 = E(x 2 . r 2 )-, and executes the proofs of knowledge listed 
in the above definition. We denote the above proof of knowledge by PK[x, r : 
E = E(x, r) Ax £ [a — a,b + a}. 

The last cryptographic building block we need is the verifiable ElGamal en- 
cryption of an exponent. 

Definition 14 (Verifiable ElGamal encryption of an exponent). Assume 
U holds a secret r, and has published the value u> = \ r ■ Here \ is a generator of 
a group T of order n, where n may be prime or composite, and 0 < r < n. We 
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assume that the DDH assumption holds in T . It is possible for U to prove in zero- 
knowledge that a pair ( A = r~ 1 y a , B = g a ) mod n, is an ElGamal encryption 
under public key y of the exponent of u to basis \- 

We denote it by: PK[r : w = \ r A A = r~ 1 y a AB = eg 0 ]. The proof can be found 
in [28], and we repeat it here for convenience. For i in {!,..., v}, U generates 
random tj 3 and computes g t = g tl , y t = y u , and u>i = \ Vi - Next, U computes 

c = U{ X \\u\\A\\B\\g l \\co 1 \\ ••• j|*|M. (9) 

Next, U computes = t* — ega, where eg stand for the < th -bit of c. The proof 
consists of c and Sj, i = 1, . . . , v. In order to verify, V recomputes g t = g Si B Ci , 
y[ = y Si A Ci , and Ui = u> Vi , and checks that (9) holds. The rationale for the proof 
is that, when eg = 0, the verifier checks that g t and cj,; are correctly constructed; 
when Ci = 1, the verifier checks that (A, B) is the ElGamal Encryption of the dis- 
crete logarithm of lu to basis y, provided that g, and oj,. are constructed correctly. 
If the statement were false, U could pass only one of the verification equations, 
for each i. In the random oracle model, the probability of U successfully proving 
a false statement is 2~ v . 

B Security Analysis 

Before the introduction of a formal model of security of group signature schemes 
[5] , it was common practice to prove the security of a scheme by showing that it 
would satisfy the various informal requirements listed in section §2. Of course, it 
is impossible to be sure that any such list is complete, and in fact early schemes 
failed to identify the need for resistance against coalition/collusion attacks (see 
[4] for a discussion about this issue). 

Thanks to the formal model, a clearer picture about the complete security 
requirements of group signatures has now emerged; a scheme proven to satisfy 
“full anonymity” and “full traceability” can be trusted to provide security - at 
least as long as the particular computational assumptions underlying the cryp- 
tographic primitives (digital signatures, encryption, proofs-of-knowledge) used 
in the scheme hold up. Unfortunately it is challenging to provide a proof in the 
new model. The only example of such a proof is for the general construction 
given in [5] itself. While that construction shares similar design principles with 
ours, their proof works in a different model of computation. In particular, secu- 
rity conditions for the proofs-of-knowledge are defined in the Common Reference 
String model. On the other hand, the primitives used in our scheme are provably 
secure only in the Random Oracle Model (ROM) . Indeed, ALL primitives based 
on discrete logarithms (which we must use if the scheme is to be functionally 
trapdoor- free) are only proven secure in the ROM model. Thus, in order to pro- 
vide a formal security proof, we would have to adapt the framework of [5] to the 
ROM setting. We plan to pursue this direction in a future journal publication 
of this work. In this section we will give some arguments on how such a formal 
proof would work for our scheme. Before we proceed, however, we would like 
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to remark that it is simple to prove the security of our scheme by going over 
each property in §2. In fact, the only requirement that is not clear from the 
construction is security against coalition attacks. Equivalently, it is not obvious 
whether group membership certificates are unforgeable even if some (or all) the 
group members conspire to share their secrets, because our scheme uses a new, 
modified Nyberg-Rueppel signature for certificate issuance. Indeed, certificate 
unforgeability is equivalent to the property that this signature be existentially 
unforgeable under active attacks. We now prove the security of the modified 
Nyberg-Rueppel. 

Proposition 1 (Forking lemma for modified Nyberg-Rueppel). Let A 

be an adversary which attempts to forge modified Nyberg-Rueppel signatures on 
messages issued under the public key y = g x . Assume A has a non-negligible 
probability of success, as computed over the sample space of messages m, random 
tapes r and random bases g\ . Then A has a non-negligible probability of success 
of computing relative discrete logarithms in the group Q . 

Proof. Since A has non-negligible success probability over sample triples ( m , r, 
<7i), a standard product sample argument can be used to show that for a non- 
negligible set of choices of values for the first two components, (i.e., values for the 
message m and random tape r) the algorithm has a non-negligible probability 
of success over choices for the remaining component (the basis gi in Q). Now 
consider the following reduction to the relative discrete logarithm problem. Given 
two arbitrary values g-i and <73 in Q, choose (with non-negligible probability of 
success) values m and r such that A can forge signatures on message to with 
random tape r for a non-negligible subset of bases gi in Q. Then, with non- 
negligible probability, both g 2 and <73 will belong to that subset. But this implies 
that A can compute a pair (to, r) and values s and s' such that g™ = ry r g s 
and g™ = ry r g s ' . Dividing the equations, we get ^ || j = g s ~ s ' , which implies 
dlog g3 (52) : #^r. 

Proposition 2. The modified Nyberg-Rueppel signature scheme, as a signature 
scheme on short messages, is existentially unforgeable under chosen message 
attacks, if the discrete logarithm problem is hard in Q. 

Proof. Since we are considering short messages only, there is no need to use the 
random oracle model. The previous proposition reduces such forgeries to the 
hardness of discrete logarithm computations. Of course the reduction is “loose” 
by a factor of 2: If you can forge signatures with probability at least p, the 
probability of successful computation of discrete logarithms is at least p 2 . 

Notice that the SIGN protocol is a Schnorr-type signature scheme, in the 
sense that it binds all the signature parameters in a single hash computation, 
and the signer’s secret is a discrete logarithm. In fact, the signature itself includes 
a proof of knowledge of discrete logarithm of the signer’s public key with respect 
to a fixed basis (also tied in the hash computation). Such constructions can be 
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proven secure in the random oracle model [26] . In other words, individual group 
member signatures are secure against existential forgery by adaptively chosen 
message attacks. 

Consider now the anonymity game. The attacker has corrupted all secret 
keys of all group members. It is allowed to query an OPEN oracle for opening 
arbitrary valid signatures. After possibly some interaction with the oracle it can 
choose two identities io and iy and a message rn. The adversary challenge a is 
then a valid group signature on m that is known to have been issued by either 
io or iy with equal probability. The adversary is allowed to further interact with 
the OPEN oracle, but is now restricted not to query the oracle with the challenge 

Claim (Reduction to passive attacks). Assume that the group member signature 
is secure against existential forgery by adaptively chosen message attacks, and 
that it implements a sound zero-knowledge proof of knowledge of a certificate 
on a pseudonym and its associated secret. If there is an efficient attacker that, 
upon interacting with an OPEN oracle, can guess the identity of the signer on 
the challenge with non-negligible advantage over a random guess, then there is 
an efficient attacker without access to an OPEN oracle that can similarly guess 
the identity of the signer with non-negligible advantage over a random guess. 

Argument. The idea for the proof is as follows: Let A 0 be an attacker with 
access to the oracle, and Ay an attacker that has full access to ALL the group 
members for all time - i.e., it is able to see the internal state of the group 
members that lead to computation of group signatures (except that he cannot 
see the computation of the challenge). However, Ay is not given access to the 
oracle. Let Q be some query made by A 0 to the oracle. If the oracle accepts 
and decrypts the message, then it means that either the query included a valid 
group member signature or that the proof of knowledge was forged. Since we 
assume the proof of knowledge is sound, this second case can only happen with 
negligible probability. Therefore, with overwhelming probability the adversary 
either submitted a signature previously computed by some group member, or A 0 
constructed a new signature using his knowledge of one of the group member’s 
secret key. In the latter case, Ao already knew what the response of the oracle 
would be and could have continued the computation without need of the query 
Q. In the former case, Ao does acquire knowledge through the interaction, but 
this knowledge is available to Ay through its access to the internal state of all 
group members through time. So with overwhelming probability we can reduce 
a computation of A 0 to one of Ay. 

Claim (Full anonymity). Under the assumptions of the previous proposition, and 
assuming further that the signature of knowledge composes well with ElGamal 
encryption, our group signature scheme provides full anonymity. 

Argument. Since the identity of the signer is encrypted using ElGamal, which 
is semantically secure, it is safe against passive attacks on the encryption scheme, 
as long as the proofs of knowledge compose well with it. But from the previous 
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proposition, we know that an adversary does not gain any significant advantage 
from accessing the OPEN oracle, i.e., from staging active attacks against the 
encryption scheme. 

Remark 2. Such a result may sound surprising, specially in view of the proof 
in [5], which implies that in order for a group signature scheme to be secure 
in the formal model it is required that the cipher used be secure against chosen 
ciphertext attacks, whereas our scheme uses ElGamal, which is only semantically 
secure. Still, in light of results such as [27] , it is at least conceivable that semantic 
security is sufficient if the proofs of knowledge are non-malleable. 

Moreover, our scheme can be easily modified to use Cramer-Shoup encryp- 
tion instead of ElGamal. This will only require adding the authenticating tags 
to each of the two ElGamal encrypted pairs (Yi, Y 2 ) and (R -\ , R 2 ) and verifying 
such tags during signature verification as well as before decrypting within the 
signature opening algorithm. (Notice that the authenticating tags can be shown 
well-constructed without requiring knowledge of the Cramer-Shoup scheme’s pri- 
vate keys.) 

The second property we should prove is the full traceability. 

Claim (Full traceability). Under the assumptions of the previous claims, and 
using the fact that the modified Nyberg-Rueppel signature is unforgeable under 
chosen message attacks, our group signature scheme is fully traceable. 

Argument. To prove such a claim one must show the impossibility of an ad- 
versary to produce a signature that, when opened, reveals either an invalid 
pseudonym or a valid pseudonym whose secret is unknown to the attacker. In 
each case, the attacker must either be capable of forging the proof of knowledge 
of a certificate on a pseudonym and associate secret, or must be able to produce 
certificates for new, invalid users. ( Forging a new certificate for a valid, uncom- 
promised user would NOT suffice, for the adversary would still have to prove 
knowledge of the pseudonym secret. ) The latter case is not possible because the 
modified Nyberg-Rueppel is existentially unforgeable under chosen message at- 
tacks. The former case would violate the assumption that the Schnorr signature 
implements sound proofs-of- knowledge. 


C An Alternative Construction in the RSA Ring 

In this appendix we briefly describe another possible realization of the scheme. 
Much of the notation and procedures are the same as in section 4. The shared 
parameters are chosen differently. We define Q to be the group of quadratic 
residues in the RSA ring generated by a composite modulus which is a product 
of safe primes. Namely, a trusted party generates two safe primes p, q, and 
publishes n = pq. After constructing a proof that n is formed correctly, the third 
party may forget its factorization, as it is not needed for the scheme. The group 
T is chosen as a group of order n. For that, one searches for a prime p so that 
p = mn + 1, where m is a small number. One then sets T to be the subgroup of 
m-powers in the group Z*. The group-specific parameters are the same. 
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The JOIN protocol is little changed. There are no restrictions on the value 
of r = IuQ k mod n, where k is chosen in the interval [—2 t+2k . 2 t + 2k — 1]; as 
before, k stands for the bitlength of \Q\. The terms a, b, and s cannot be reduced 
modulo the unknown order of Q, which is unknown. 


Table 5. Shared and group specific parameters. 


Shared parameters 

Security parameters <5, e, <ti , <T 2 , r (integers); 

Secure hash function 'H(-) : {0,1}* — > {0, 1} T ; 
n, a composite integer, the product of safe primes; 
p, a prime satisfying p = mn-\-l, where m is small; 

Q = {x G Z* : 3 a G Z* s . t . x = o 2 mod n} ; 

7 = {^GZ;:3aGZ; s.t. x = a m modp}; 

P, an (optional) proof that n is a product of safe primes; 
g, g lt and g 2 , generators of G; 

P' , an (optional) proof that g, gi , and g 2 are quadratic residues. 

Group-specific parameters 

S, a string including y and y 2 ; 

CA's signature CERTcaC^). 


Table 6. The JOIN protocol. 


U — > GM 

Ju = I m 1 

nodn 

gm 

a, be [-2 

r/2+n, 2 t / 2 + k — 1] 

•tfei gm 

Sig v (lu = 

Jhg\ mod n, PK[u : I v = g?]) 

GM — ► U 

r = Iug~ k 

mod n, 


s = -xr + 

^ j_22«+ t +1 j 2 2k + t + 1 _ l] 


Table 7. 

The SIGN protocol. 

1 

Proc 

>f arguments : j 


Yi, Y 2i Pi, P 2 , x> E 1 . 

Signature of knowledge: 
SPK[u,e'J,r,s,f.Y 1 =g?g e ' A Y 2 = g*' 

A Ei = E 1 (r,0)=x r A Ri=r~ 1 y‘ A R 2 = g% 

A E 2 = Y\R\ = E 2 (r, s, t) = y r g s y\ A Y 2 R 2 = g\](M) 


The SIGN protocol can be considerably simplified. There is no need for an 
extra commitment in a group of unknown order, as the order of the group Q is 
itself unknown. Moreover, there is no need to prove that the r in the commitment 
Ei is bounded in a certain interval, as a cheating U could not find a value 
that reduces to different values n mod n and 7*2 mod <j)(n) while satisfying the 
signature equation, because <j>(n) is unknown to U. 

Protocol OPEN is unchanged from the previous case. 
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Abstract. Constructing practical and provably secure group signature 
schemes has been a very active research topic in recent years. A group 
signature can be viewed as a digital signature with certain extra prop- 
erties. Notably, anyone can verify that a signature is generated by a 
legitimate group member, while the actual signer can only be identified 
(and linked) by a designated entity called a group manager. Currently, 
the most efficient group signature scheme available is due to Camenisch 
and Lysyanskaya [CL02]. It is obtained by integrating a novel dynamic 
accumulator with the scheme by Ateniese, et al. [AC JTOO] . 

In this paper, we construct a dynamic accumulator that accumulates 
composites, as opposed to previous accumulators that accumulated 
primes. We also present an efficient method for proving knowledge of fac- 
torization of a committed value. Based on these (and other) techniques 
we design a novel provably secure group signature scheme. It operates 
in the common auxiliary string model and offers two important bene- 
fits: 1) the Join process is very efficient: a new member computes only 
a single exponentiation, and 2) the (unoptimized) cost of generating a 
group signature is 17 exponentiations which is appreciably less than the 
state-of-the-art . 


1 Introduction 

The notion of group signatures was introduced by Chaum and van Heyst in 
1991 [CvH91]. Since then, seeking practical and provably secure group signature 
schemes - and their interactive dual known as identity escrow [KP98] - has been 
a very active research area in applied cryptography. A group signature can be 
seen as a normal digital signature with the following extra properties: anyone 
can verify that a signature is generated by a legitimate group member, while the 
actual signer can only be identified and linked by a designated entity called a 
group manager. 

The basic idea underlying most group signature schemes (as well as ours) 
is the following: In order for a group member (Alice) to sign a message, she 
* Work done while affiliated with University of California at Irvine. 
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needs to construct an authorization-proof to show that she has a legitimate 
membership certificate, and an ownership-proof to demonstrate knowledge of 
the secret corresponding to the membership certificate. The issues in these two 
proofs are similar to those encountered in a normal public key infrastructure 
(PKI) setting, namely, a signature can be verified using the alleged signer’s 
public key contained in a certificate which has not been revoked. However, the 
group signature scenario is more complicated, since a signer cannot show her 
membership certificate without compromising her anonymity. It is precisely this 
anonymity requirement that makes it very difficult to have a practical solution 
that facilitates revocation of membership certificates (a concept compatible to 
certificate revocation in a normal PKI), or the validity check of non-revoked 
membership certificates. 

Early group signature schemes (e.g., [CP94]) have the characteristics that 
the sizes of the group public key and/or of group signatures linearly depend 
on the number of group members. The advantages of these schemes include: 
(1) many of the schemes have been proven secure using some standard crypto- 
graphic assumptions (such as the hardness of computing discrete logarithms), 
and (2) authorization-proof is trivial since revoking a member is done by the 
group manager that removes the corresponding membership certificate from the 
group public key. The disadvantage of such schemes is that the complexity of 
ownership-proof namely proving and verifying that one knows the secret corre- 
sponding to a (non-identified yet non-revoked) membership certificate, is linear 
in the number of current members and thus becomes inefficient for large groups. 

To combat linear complexity incurred as part of ownership-proof Camenisch 
and Stadler [CS97] took a different approach where the sizes of the group public 
key and of group signatures are constant and independent of the number of cur- 
rent group members. This approach has been adopted in some follow-on results, 
e.g., [CM98,CM99a,ACJT00]. As initially presented, these schemes only support 
adding new members. Since then, [CS97] and [ACJT00] have been extended to 
support membership revocation [BS01,S01,AST02]. However, revocation incurs 
certain significant costs due to some (or all) of the following: 

— Group manager re-issuing all certificates for each revocation interval. 

— Group member (signer) proving, as part of signing, that her certificate is not 
revoked. 

— Verifier checking each group signature against the current list of revoked 
certificates. 

As pointed out in [CL02], each of the above has a linear dependency either 
on the number of current, or the total number of deleted, members. 

State-of-the-Art. Currently, the most efficient group signature scheme is due 
to Camenisch and Lysyanskaya [CL02]. It is constructed by incorporating a 
dynamic accumulator, which allows efficient authorization-proofs, into the group 
signature scheme due to Ateniese, et al. [AC JT00] , which allows efficient owner- 
ship-proofs. The concept of dynamic accumulators introduced in [CL02] is a 
variant of the accumulator due to Baric and Pfitzmann [BP97]. It enables a 
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group member to conduct a light-weight authorization-proof such that both the 
proving and verifying complexities are independent of the number of the current, 
or total deleted, members. We note that the use of dynamic accumulators to 
facilitate authorization-proofs, requires the group manager to disseminate certain 
information, such as the values deleted from the accumulator whenever a member 
(or a set of thereof) joins or leaves the group. 

1.1 Contributions 

The main contribution of this paper is a new group signature scheme provably se- 
cure against adaptive adversaries, i.e., adversaries allowed to adaptively join and 
leave the group. The scheme is obtained by integrating several building blocks, 
some of which are new (e.g., the dynamic composites accumulator), while oth- 
ers are more efficient than previous techniques providing the same functionality 
(e.g., the multiplication protocol that allows one to prove that she knows the 
factorization of a committed value). More specifically: 

— A new dynamic accumulator that accumulates composites (see Section 5.1), 
as opposed to the prior construct that accumulates primes [CL02]. This 
accumulator fits well into a group signature scheme because it allows us to 
conduct simultaneous authorization-proofs and ownership-proofs based on 
the factorizations of accumulated composites. 

- A protocol (in Section 5.2) for proving knowledge of factorization of a com- 
mitted value, which, in our case, corresponds to an accumulated composite. 
This protocol is more efficient than prior art, such as [DF02]. 

- A protocol (in Section 5.3) for verifiable encryption of discrete logarithms, 
based on the public key cryptosystem due to Catalano, et al. [CGHN01]. 
This protocol is more efficient than previous similar protocols (e.g., the one 
presented in [MR01]) based on the Paillier cryptosystem [P99]. 

As mentioned earlier, the state-of-the-art group signature scheme by Ca- 
menisch and Lysyanskaya is obtained by integrating a dynamic prime accumula- 
tor [CL02] with the bare group signature scheme in [ACJTOO]. This integration 
was needed since a prime accumulator cannot be used for ownership-proof. In 
comparison with the [CL02] scheme, our approach has three major benefits: 

— Use of the new accumulator construct simultaneously for both ownership- 
proof and authorization-proof. This yields a conceptually simpler scheme. 

— Efficient Join: a new member only computes a single exponentiation in order 
to verify that her composite has been correctly accumulated. In comparison, 
Join involves more than 30 exponentiations in [CL02]. We note that this 
complexity does not stem from the use of the dynamic accumulator; it is 
inherited from Join of [ACJTOO]. 

- Efficient Sign and Verify: the computational complexity of signing is 17 ex- 
ponentiations (without any optimizations) which is notably lower than 25 
in the Camenisch-Lysyanskaya scheme. A similar gain in efficiency is also 
achieved in the verification process. 

Our scheme also has some potential drawbacks. They are discussed in Sec- 
tion 7. 
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1.2 Organization 

In Section 2, we overview the model and goals of group signatures. Then, in 
Section 3, we introduce the basic ideas underlying our group signature scheme. 
Section 4 presents some cryptographic preliminaries and Section 5 describes 
some building blocks. The new group signature scheme is found in Section 6; its 
features and potential drawbacks are discussed in Section 7. Due to space limi- 
tations, technical details of the security proof and some interesting discussions 
are deferred to the extended version [TX03]. 

2 Model and Goals 

Participants. A group signature scheme involves a group manager (responsible 
for admitting/ deleting members and for revoking anonymity of group signatures, 
e.g., in cases of dispute or fraud), a set of group members, and a set of signature 
verifiers. All participants are modeled as probabilistic polynomial-time interac- 
tive Turing machines. 

Communication Channels. All communication channels are assumed to be 
asynchronous. The communication channel between a signer and a receiver is 
assumed to be anonymous. 

Trust. We assume that the group manager will not admit unauthorized individ- 
uals into the group. This is reasonable, since, otherwise, the group manager can 
issue valid membership certificates to rogue members and thus make the group 
signature scheme useless. We assume that the group members, whether honest 
or not, behave rationally. More precisely, a dishonest group member may seek to 
undermine the system (e.g., by colluding with other internal or external parties) 
as long as the attack will not be traced back to herself. Nonetheless, she will not 
take the chance if she (or anyone else colluding with her) is bound to be caught. 
This assumption is also reasonable since, in any group signature scheme (indeed, 
in any cryptographic setting), a dishonest user could (for instance) simply give 
away her own secrets. However, she is bound to be held accountable for any 
consequences of such misbehavior. 

2.1 Definitions 

A group signature scheme consists of the following procedures: 

— Setup. On input a security parameter, this probabilistic algorithm outputs 
the initial group public key and the secret key for the group manager. 

— Join. This is a protocol executed between the group manager and a user who 
is to become a group member. The user’s output is a membership certifi- 
cate and a membership secret; the group manager’s output is some updated 
information that indicates the current state of the system. 

— Revoke. This is a deterministic algorithm which, on input a membership cer- 
tificate, outputs some updated information that indicates the current state 
of the system after revoking the given membership certificate. 
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— Update. This is a deterministic algorithm that may be triggered by any Join 
or Revoke operation. It is run by the group members after obtaining certain 
information from the group manager. 

— Sign. This is a probabilistic algorithm which, on input of: a group public 
key, a membership certificate, a membership secret and a message, outputs 
a group signature. 

— Verify. This is a deterministic algorithm for establishing the validity of an 
alleged group signature on a message with respect to the group public key. 

— Open. This is an algorithm which, on input of: a message, a valid group 
signature, a group public key and a group manager’s secret key, determines 
the identity of the actual signer. 

2.2 The Goals 

A secure group signature scheme must satisfy the following properties: 

— Correctness. Any signatures produced by a group member using Sign 
must be accepted by Verify. 

— Unforgeability. Only group members are able to sign messages on behalf 
of the group. 

— Anonymity. Given a valid group signature, identifying the actual signer is 
computationally hard for everyone but the group manager. 

— Unlinkability. Deciding whether two different group signatures were gen- 
erated by the same member is computationally hard for everyone but the 
group manager. 

— No-framing. No combination of a group manager and a subset of dishonest 
group members can sign on behalf of a single honest member. That is, no 
honest member can be made responsible for a signature she did not produce. 

— Traceability. The group manager is always able to identify the actual 
signer of any valid group signature. 

— Coalition-resistance. A colluding subset of group members (even all 
members) cannot generate a signature that the group manager cannot trace. 

3 Basic Ideas 

The basic idea underlying our group signature scheme is to utilize an accumula- 
tor that accumulates composites, where the factorization of a composite is only 
known to the user who generates it. More specifically, suppose a group member 
has a witness w such that w e = v mod n where v is the public accumulator value 
and n is the product of two safe primes. The factorization of e = eie2 (i.e., the 
primes e\ and e2) is only known to the member. This knowledge allows the user 
to conduct an ownership-proof by demonstrating that e = eie2- The witness w 
facilitates an authorization-proof that w e = v mod n. 

While the basic idea is quite simple, we must deal with potential abuses. 
We now present an informal discussion of some subtleties, and suggest counter- 
measures. Readers who prefer to commence with the more in-depth technical 
description may wish to skip this section. 



274 Gene Tsudik and Shouhuai Xu 


Q: How to ensure anonymity while preserving authenticity? 

A: A signer “encrypts” both w and e such that the required properties regarding 
them can be shown on the corresponding “ciphertexts”. In particular, a 
signer needs to show w e = v for the authorization-proof, and e = eie2 for 
the ownership-proof. As long as e is chosen such that it is infeasible to factor, 
no group of participants (including the group manager) can frame an honest 
group member. 

Q: How to deal with multiple dishonest group members who collude (by reveal- 
ing to each other factorizations of their respective composites) and produce 
new membership certificates? For example, if Alice chooses e\ = e-yiei^ 
and Bob chooses e2 = e2,ie2,2, they can collude to obtain new membership 
certificates for the values such as (eie2,i) or (ei. 162,1). 

A: Although we cannot prevent such abuses, we can ensure that, the group 
manager can factor at least one of the colluding group member’s e (ei, or e2, 
or even both) and thus identify at least one of the miscreants. One way to 
do this, as we shall see, is to use a public key encryption scheme (for which 
the group manager knows the private key) so that the signer is forced to 
encrypt an “accumulated” value she is claiming. Note that even a dishonest 
member cannot afford to encrypt ei,i, since, otherwise, the group manager 
can factor her composite and forge signatures that will be traced back to the 
dishonest member. 

Q: How to deal with multiple dishonest group members who collude (but do not 
reveal to each other the factorizations of their composites) and produce new 
membership certificates? For example, suppose that Alice holds («q,ei) and 
Bob holds (w2,e2), where ei = ei.iei^, e2 = e2,ie2,2, wf 1 = = v. They 

can collude and generate ( w',e ' = eie2) such that (u /) ei62 = v. 

A: We prevent such attacks by requiring all verifiers to check that e' falls within 
a certain range. 

Q: Does the group manager need to check whether a composite presented by a 
new user during Join is well-formed, i.e., a product of two large primes? If 
not, what if a dishonest group member chooses e to be a single prime or a 
product of multiple (more than 2 ) primes? 

A: We do not aim to prevent such abuses (this also justifies our efficiency gains). 
However, will be shown, no adversary can gain any benefit from any such 
abuse since the group manager is always able to identify at least one of 
the colluding group members. Moreover, choosing appropriate composites is 
indeed on the user’s behalf. 

Q: What if the group manager attempts to frame an honest group member by 
using the group member’s membership certificate ( w , e) where w e = v while 
providing a proof of factorization of some value e' -f e. 

A: The Sign process ensures that, if the group manager proves knowledge of the 
factorization of an “accumulated” value e' ^ e, then the witness value that 
the group manager (or any impersonator) is showing is w' ^ w. Moreover, 
the group manager is required to conduct a zero-knowledge proof as part of 
Open such that the decryption corresponding to an ElGamal ciphertext (of 
w) is correct. 
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4 Preliminaries 

Definition 1. (safe RSA modulus). We say n = pq is a safe RSA modulus, if 
p = 2p' + 1, q = 2q' + 1, and p, q, p' , q' are all primes. 

By convention, let gcd(0,n) = n, and QR„, be the subgroup of quadratic 
residues modulo n. 

Definition 2. (Strong RSA Problem). Let n = pq be a RSA-like modulus and G 
be a cyclic subgroup ofh *, where |ord(G)| = l G - Given n and z Gr G, the Strong 
RSA Problem consists of finding w G G and e > 1 such that z = w e mod n. 
Assumption 1 (Strong RSA Assumption). Suppose a RSA-like modulus n and 
z Gr G are obtained according to a given security parameter l G . The assumption 
states that any probabilistic polynomial-time algorithm A can solve the Strong 
RSA Problem with only negligible probability. 

The following lemma is useful and has appeared in many places (e.g., 
[GKROO]). 

Lemma 1. Suppose n = pq is a safe RSA modulus. Given an element w G 
Z* \ {1, —1} of ord(w) < p'q' , either gcd(w — 1, n ) or gcd(w + 1, n) is a prime 
factor of n. 

Definition 3. (Decisional Diffie-Hellman Problem). Let G = (g) be a cyclic 
group generated by g, where |ord(G)| = l G . Given g, g x , g y , and g z Gr G, the 
Decisional Diffie-Hellman Problem consists of deciding whether g xy = g z . 
Assumption 2 (Decisional Diffie-Hellman Assumption). Suppose a group G 
and an element g of order ord( G) are obtained according to a given security 
parameter l G . The assumption states that there is no probabilistic polynomial- 
time algorithm that distinguishes with non-negligible probability (g,g x ,g v ,g xy ) 
from ( g,g x ,g v ,g z ), where x,y,z Gr Z ord(G) . 

We will utilize the ElGamal public key cryptosystem [E85] whose semantic 
security is based on DDHA [TY98] . Since we always work in the setting of modulo 
a safe RSA modulus, we need certain group in which the DDHA holds. 

Fact 1 If n is a safe RSA modulus, then QR n is a cyclic subgroup of order p'q' . 
Moreover, if a G Z* and gcd(a ± 1, n) = 1, then g = a 2 mod n is of order p'q' . 


4.1 The CGHN Public Key Cryptosystem 

We now briefly review Paillier’s cryptosystem [P99]. Suppose n = pq where p and 
q are large primes. Then we have Euler’s Totient function <p{n) = (p — l)(q — 1) 
and Carmichael’s function A (n) = lcm(p — l,q — 1). It follows that: w x(n> = 
1 mod n and w n ' x( - n ^ = 1 mod n 2 for any w G Z* 2 . Let ( n,g\n,g,p,q ) be a pair 
of Paillier public and private keys as specified in [P99]. To encrypt a message 
to G Z n , one chooses r Gr Z* and computes the ciphertext c = g rn r n mod n 2 . 
Note that an interesting selection of g is g = (1 + n) because (1 + n) m = 
1 + mn mod n 2 . 
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A performance disadvantage of the Paillier cryptosystem is that one needs to 
compute r n mod n 2 . Catalano et al. [CGHN01] observed that if we always set 
g = (1 + n) then we can use any public exponent t as long as gcd(t, A(n 2 )) = 1, 
because a ciphertext c = (1 + mn)r* mod n 2 yields c = r* mod n, thereby r 
can be recovered by a standard RSA decryption operation. This means that 
one only needs to compute an exponentiation operation modulo n 2 with respect 
to an exponent |f| << \n\. We call this variant the CGHN cryptosystem whose 
semantic security is based on the following DSRA assumption. 

Definition 4. (Computational Small f-roots Problem) . This is a variant of the 
RSA problem in Z* 2 • The problem is to invert y l mod n 2 , where y £ Z„, t £ Z n , 
and gcd(t, X(n 2 )) = 1. 

Definition 5. (Decisional Small Residuosity Problem, DSRP). This is a deci- 
sional version of the above computational problem. Given an element x £r Z* 2 , 
one needs to decide whether x is the form y t with y 

Assumption 3 (Decisional Small Residuosity Assumption, DSRA) Let n be a 
randomly chosen l-bit RSA modulus, t £ Z n such that gcd(t,X(n 2 )) = 1, and 
x £r Z* 2 . There exists no probabilistic polynomial-time algorithm that is able to 
decide, with non-negligible advantage, whether x is the form y * with y € Z n . 

The following lemma will be used (the proof is deferred to [TX03]). 

Lemma 2. Suppose n is a safe RSA modulus. If A a = 1 mod n 2 where A £ Z* 2 
and gcd(a, n ■ A(n)) = 1 or 2, then A = ±1 mod n 2 . 

5 Building Blocks 

5.1 A Composite Accumulator 

Definition 6. A dynamic accumulator for a family of inputs {X{\ is a family 
of families of functions {Ti} with the following properties: 

— Generation. There is an efficient probabilistic algorithm Q that on input 
l l produces a random element f of Ti, and some auxiliary information auxf 
about f . 

— Evaluation, f £ Ti is a polynomial-size circuit that, on input (u,x) £ 
i If x %i, outputs a value v £ il/, where if/ is an efficiently-samplable input 
domain for the function f, 3Li is the intended input domain whose elements 
(i.e., composites) are to be accumulated. 

— Quasi-Commutative. For all l, for all f £ Ti, for all u £ %, for all 
x\,X 2 £ Xi, f(f(u,x i),x 2 ) = f(f(u,x 2 ),x 1 ). If X = { Xi.---,x m } C Xi, then 
by f(u,X) we denote /(• • •/(/(«, x i),- • -),Zm)- 

— Witness. Let v £ if/ and x £ Xp A value w £ ilf is called a witness for x 
in v under f if v = f(w, x). 

— Addition. Let f £ Ti, and v = f(u,X ) be the accumulator so far. There is 
an efficient algorithm A to accumulate a given value x' £ Xi . The algorithm 
outputs: (1) X' = XU {x'} and v' = f(v,x') = f(u,X'); (2) w' which is the 
witness for x £ X in v'. 
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— Deletion. Let f £ Pi, and v = f(u,X) be the accumulator so far. There 
exist efficient algorithms V, W to delete an accumulated value x' £ X. The 
functionality of the algorithms includes: (1) D(auxf,v,x') = v' such that 
v' = f(u,X\ {x'}), and (2) W(w,x,x',v,v') = u>' such that f(w',x) = v', 
where x £ X and f(w,x) = v. 

Definition 7. Let it* x X\ denote the domains for which the function f € Pi is 
defined (thus it/ C if^, Xi C X\). To capture security of a dynamic accumulator 
accumulating composites, we consider the following game: At the beginning of 
the game, an accumulator manager sets up the function f and the value u and 
hides the trapdoor information auxf. Then, the adversary AW is allowed to 
adaptively modifies the set, X, of accumulated values: When a value x £ Xi is 
added, the manager updates the accumulator value using algorithm A; when a 
value x £ X is deleted, the manager algorithm T> publishes the result. We say 
ADV wins in this game, if it, with non-negligible probability, manages to output 
a witness w' for a value x' £ X\ such that * t IW* More formally, we 
require that: 

Pr[(f,aux f )^g(l l y,u^ii r ,(w,x',X)^AW 0 ^°^(f,u,ii f ) : 

w 1 £ ii' /; x f £X'i,x' f I] *5 /K x ') = /(«’ *)] 

Vxex 

to be negligible, where Q a dd (O^ei) is the oracle for the Addition (resp. Dele- 
tion ) operations. (Note that only a legitimately accumulated value x must belong 
to Xi, whereas a forged value x' can belong to a possibly larger set X\.) 
Construction. This construction is a variant of the one in [CL02] . 

— Pi is the family of functions that correspond to exponentiation modulo safe 
RSA modulus drawn from the integers of length l. Choosing f £ Pi amounts 
to choosing a random safe RSA modulus n = pq of length /, where p = 2p ' + 1 , 
q = 2q' + 1. We will denote by / the function corresponding to modulus n 
and domain Xa,b by f n ,A,B- 

~ %a,b = {eie 2 : ei £ &x /\e 2 £ S 2 }, where &i = {e : e £ primes f\e ± 
v' A e 7 ^ q[ t\ Ai < e < Bx}, &2 = {e: e£ primes f\ e ± p' f\e ± q' /\A 2 < 
e < B 2 }, Ai, A 2 , B \ , and B 2 can be chosen with arbitrary polynomial 
dependence on the security parameter l as long as 4 < A 1: 1 < A 2 , Bi < A\, 
B 2 < A\, and BxB 2 < p'q' . Then, X' A B C {5, • • •, A\ — 1} and Xa,b C X' a b . 

— For / = fn.A.B, the auxiliary information aux / is the factorization of n. 

— For / = f n: A,B, if f = {u £ (Q®„ : u ^ 1} and if/ = Z* . 

— For / = f n ,A,B, f(w,x) = w x mod n. We remark that f(f(w,x i),x 2 ) = 
f(w, {xi, x 2 }) = w XlX2 mod n. 

— Update of the accumulator value. Adding a value x' to the accumulator value 
v is done by setting v' = f(v, x') = v x mod n. Deleting a value x' from the 
accumulator is done by setting v' = T>((p, q),v, x') = v^ x 1 mod mod n. 

— Update of witness. Updating the witness w after x’ has been added can be 
done by w' = f(w,x') = w x ' . In the case that x' ± x £ X AB has been deleted 
from the accumulator, the witness w can be updated as follows. By the 
extended GCD algorithm, one can compute a, (3 £ Z such that ax + fix' = 1 
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and then w' = W(w,x,x' ,v,v') = This guarantees f(w',x) = 

(w') x = v' mod n because: 

w ' = = (v&Y 1 mod Hn)^a w f3 = ^(ax-W^'XGT 1 mod 4>(n)) 

= w (x ' rX mod 0(n) mod n. 

Note that it is crucial ( x',(j>(n )) = 1, but this is always guaranteed. 
Theorem 1 . ([TX03]) Under the Strong RSA Assumption (SRSA), the above 
construction is a secure dynamic accumulator that accumulates composites. 


5.2 Proving That One Knows the Factorization 
of a Committed Value 

In order to enable ownership-proofs, we adopt the Damgard-Fujisaki commit- 
ment scheme [DF02] with slight modification. Nonetheless, our protocol for a 
signer to prove that she knows the factorization of a committed value is more 
efficient than the protocol presented in [DF02], and thus may be independently 
interesting. 

The Commitment Scheme. Let l (for the length of the modulus) and k (for 
challenge length) be security parameters, where l » k. This scheme consists of 
the following three algorithms. 

— Set-up. This algorithm is run by a trusted third party (TTP). Given a se- 
curity parameter l, TTP chooses a safe RSA modulus N = PQ, where 
P = 2 P' + 1, Q = 2 Q' + 1, and \P'\ = \Q'\ = 1/2. Denote by G = QMjv and 
Iq = \ord(G) | = l. TTP chooses two generators of G, G and H, uniformly 
at random; i.e., G = ( G ) = (H). Note that Fact 1 implies that this can be 
easily done. 

— Commit. To commit to an integer x, the prover chooses r Gr Zp v / 4 J and 
sends C = H x G r mod N to the verifier. 

— Open. To open a commitment, the prover must send x, r, b such that C = 
H x G r b mod N,b= ±1. 

Lemma 3. ([DF02]) The above commitment scheme is perfectly hiding and com- 
putationally binding. 

A Protocol for Proving That One Knows the Factorization of a Com- 
mitted Value. Suppose X is a given random integer such that |X| = Ai. Let 
e > 1 be a security parameter for statistical zero-knowledge, A 2 denote length 
such that 1/2 > Ai > e(A 2 + k) + 2. Alice who holds e is to prove that she knows 
the factorization of e = eie 2 , where e\ G {X — 2 A2 , • • -, X + 2 Aa } and e 2 7 ^ 0, ±1. 
The protocol goes as follows. 

1. The prover, Alice, chooses r\ Gr ±{0, l} l+k and generates Ci = H ei G ri 
mod N, C 3 = (Ci )® 2 mod N. In order to prove the knowledge of e = eie 2 , 
ei, e 2 , ri, r = rie 2 such that 

C 1 = H ei G ri mod N/\C 3 = H e G r mod N/\C 3 = (Ci )® 2 mod N, 


she executes as follows: 
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-choose ei €r ±{0, l} e (^+ fc ), e' 2 € R ±{0, l} e ( Al+fc+1 \ e' € R ± 
{0,l} e ( 2Al+fc+1 \ r / Gr ±{ 0 ,i}'(«+»), r ' e R ±{0,l}^+^+ 2fc + 1 ). 

- compute C[ = H<G< mod N, C' 3a = H e 'G r ' mod N, C' 3b = (Ci)4 
mod N. 

— send (Ci, C3, C[, C 3a , C 3b ) to the verifier. 

2. The verifier, Bob, chooses c G R {0, l} fc and sends c to Alice. 

3. Alice sends Bob (s ei ,s ri ,s e2 ,s e ,s r ), where s ei = e\ — c(ei — X), s ri = 
r[ — c ■ n, s e = e' — c ■ e, s r = r' — cr, s e2 = e' 2 — c ■ e-i (all in Z). 

4. Bob accepts if the following holds: H'^G'^ = G[C^ C H C ‘ 2> ' 1 mod N, H s < 
G Sr = C 3a C 3 c mod N, C[ e2 = C 3b C 3 c mod N, s ei e {-2< X *+V +1 , ■ ■ 

. 2 e (^2+fe)+i|. ^ 2 c ( Al+fe+1 ) +1 ••• 2 e ( Al+fe+1 ^ +1 } s e ^ { 2 e ( 2Al+fc+1 ) +1 

, • • •, 2 e ( 2Al+fc+1 ) +1 }, C3 ^ 1, and C3 ^ (Ci) 6 mod N where b= ±1. 

The proof of the following lemma is available in [TX03] . 

Lemma 4. The above protocol is an honest verifier statistical zero-knowledge 
proof of knowledge e, ei,e2 such that e = eie 2, ei e {X — 2 e ( A2+fc )+ 2 , • • 

X + 2 e(A2+fc)+2 }, e 2 e {_2 e ( A t+ fe + 1 )+ 2 , • • 2 e ( Al+ * +1 )+ 2 } \ {0, ±1}, e G { 

2 e ( 2 A 1 +fc+l)+2 _ _ . 2 e (' 2 Ai+fe+l)+2| 


5.3 Verifiable Encryption of a Committed Value 

In order to facilitate the Open process, we need to force the signer to present 
an encryption of her accumulated value e for which she proves that she knows 
its non-trivial factorization e = eie2- For this purpose, we need a verifiable 
encryption scheme. Here we present such a scheme based on the CGHN public 
key cryptosystem. 

Specifically, suppose public values N, G, and H are chosen according to the 
commitment scheme in Section 5.2. Let pk = ( n,t ) be a CGHN public key and 
sk = ( n,t,p,q ) be the corresponding private key, where n = pq, \n\ = |iV|, 
and t is a prime such that |f| > k. The prover generates a ciphertext Y = 
(1 + n) x r 4 mod n 2 and a commitment G = H X G Z mod N, where r G Z* and 
z Gb Z^y/ 4 j . The prover needs to show that the ciphertext Y indeed corresponds 
to the committed secret x. The protocol is as follows: 

1. The prover chooses x' e R ±{0, ljdb+fc), r > z*, z' e R {0,l} e ( l+k \ 
computes and sends to the verifier Y' = (1 + n) x {r'f mod n 2 and C' = 
H X 'G Z ' mod N. 

2. The verifier responses with a random challenge c G R {0, l} fc . 

3. The prover sends to the verifier s x = x' — cx (in Z), s r = r~ c r' mod n 2 , and 
s z = z' — cz (in Z). 

4. The verifier accepts if the following holds: s x G (— 2 e ^ 2+fc ) +1 , 2 e d 2 + fc )+ 1 }, 
(1 + n) s *(s r y = Y'Y~ C mod n 2 , and H S *G S ° = C'C~ C mod N. 

Lemma 5. ([TX03]) The above protocol is an honest-verifier statistical zero- 
knowledge proof of knowledge x, r, z. 
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6 A New Group Signature Scheme 

As highlighted in Section 3, the basic idea underlying our group signature scheme 
is to utilize an accumulator accumulating composites such as e = eie2, where e\ 
and e2 are only known to the user who generates it. Suppose v is the accumu- 
lator value. This knowledge allows the user to conduct an ownership-proof by 
demonstrating that she knows the factorization of a committed e, whereas the 
witness w facilitates an authorization-proof that w e = v mod n. 


6.1 Setup 

Initialization of the system includes that a group manager establishes some 
cryptographic parameters and that a TTP establishes some common auxiliary 
strings. Specifically: 

1. Let l, k, and e > 1 be security parameters. Let A be a random integer of 
length \X\ = Ai. Suppose A2 denotes length such that 1/2 > Ai > e(A2 + 
k) + 2. Denote by A = X — 2 Aa and B = X + 2 A2 . Define the integral ranges 
that A 1 = {A,- - ■ ,B }, A 2 = {2 Al , - - -,2 Al+1 - 1}, and r = {— 2 2Al+1 , - • 
•,2 2A i+i}. Define %a,b = {eie 2 : ei e &i /\e 2 £ S 2 }, where 61 = {e : e e 
primes /\e£ A{\ and & 2 = {e : e £ primes /\e £ A 2 } . We assume that no 
probabilistic polynomial-time (in l) algorithm is able to factor e £ R 3£a,b', 
this is where we need the stronger factoring assumption (see Section 7 for 
more discussion). Note that we have (1) 4 < A, (2) B(2 Al+1 — 1) < A 3 . Let 
X' AB C {5, • • A 3 — 1} such that %a,b C X' ab . The group manager executes 
as follows: 

— It chooses a safe RSA modulus n = (2//+l)(2g'+l) such that \p'\ = \q'\ = 
1/2. This uniquely determines QR n , the quadratic residues subgroup 
modulo n. 

- It establishes an instance of ElGamal public key cryptosystem. Let (yi = 
g/ 1 mod n;xi) be the pair of public and private keys such that g\ £r 
<Q®n and x\ £ R Z* lq/ . 

- It establishes an instance of CGHN cryptosystem. Let ( n,t-,n,t,p,q ) be 
the pair of public and private keys, where t is a prime such that |t| > k. 

— It establishes an instance of the dynamic accumulator by choosing u £r 
QR n , establishing (currently empty) public archives 21 for storing val- 
ues corresponding to added group members, and D for storing values 
corresponding to deleted group members. 

The public and private parameters of the group manager are (n, t, (j\ . y -\ , u. 21, 
T>, X A ,n. X' a n ) and (//, q'). respectively. Note that a signature receiver can 
verify group signatures without knowing the dynamically updated 21 or S. 

2. Given a security parameter l, a TTP initializes a safe RSA modulus N = 
(2 P' + 1)(2 Q' + 1), where \P'\ = \Q'\ = 1/2. It also chooses and publishes 
two random elements G,H £r QRjv, where the logarithm of G and H to 
each other is unknown to any participant in the group signature scheme. 
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6.2 Join 

This protocol is executed between a group member, Alice, and the group man- 
ager. 

1. Alice chooses two primes ei Gr Si and e-i Gr & 2 - This step can be done 
before the execution of the protocol. 

2. Alice sends e = eie 2 (in Z) to the group manager. 

3. If A- 2 Al < e < B ■ (2 Al+1 — 1), e is odd, and e ^ 21, the group manager stores 
Alice’s membership certificate (v, e) where v is the current accumulator value 
(when the first user joins the group, v = u). It also updates v in the public 
key file as v' = f n (v, e), and adds e to 21. 

4. Alice gets her membership certificate (w, e) and checks if f n (w,e ) = w e = 
v' mod n, where w = v. 

Remark. The Join process is very efficient (1 exponentiation for both group 
manager and new user) because of the following: If a dishonest user, Eve, does 
not choose e that is hard to factor, then any participant (internal or external) 
who can find certain non-trivial factor of e may be able to sign on her behalf. 


6.3 Revoke 

Suppose Eve, who has membership certificate ( w , e), is to be expelled from the 
group. Then the group manager can revoke her membership by updating the cur- 
rent accumulator value v in the public key file: It simply sets v' = D(cf)(n),v,e), 
deletes e from 21, and adds e to 2). 

6.4 Update 

Whenever there is a Join and/or Revoke event, the group manager updates the 
accumulator value from v to v' . Correspondingly, every group member needs to 
update her membership certificate. An entry in the archives is called “new” if it 
was entered after the last time a legitimate group member performed an update. 
Suppose Bob holds a membership certificate ( w , e) such that f n {w, e) = v. Then, 
he updates his membership certificate to (w',e) such that f n (w',e) = v': 

- For all new e* G 21, w" = f n (w, n e*) and v" = f n (v, ]/[ e*). 

- For all new e* GD, w' = W(w",e, \[e* ,v" ,v'). 


6.5 Sign 

Recall that ( n,t ) is the group manager’s CGHN public key, and that y\ = 
g i 1 mod n is the group manager’s ElGamal public key. Suppose that v is the 
current accumulator value, and that Alice holds (w, e ) such that w e = v mod n, 
where e = e^. Given a message to, Alice generates a group signature as follows. 
1. She executes as follows. 

- She chooses ri Gr Z* and computes a CGHN ciphertext S = (1 + 
en)r\ mod n 2 . 
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- She chooses r2 Gr ±{0, l} l+k and computes an ElGamal ciphertext 
(a, /?) where a = g{ 2 mod n and (3 = w • mod n. 

— She chooses r 4 Gr ±{0, l} l+k and generates commitments cr = H ei G ri 
mod N, t = cr® 2 = H e G rie 2 mod N. 

2. She needs to prove the knowledge of: 

- (to, e) such that w e = v mod n, where w corresponds to the ElGamal 
ciphertext (a, (3), and e corresponds to the CGHN ciphertext 5. 

- ei and e 2 such that ei G e 2 G ^2, and e = eie2 G T. 

For this purpose, she needs to prove the knowledge of e, ei, e2, ri, r 2 , r% = 
r 2 e, r 4 , r$ = r 4 e 2 such that: 

6 = (1 + n) e r\ mod n 2 

a = g V 2 mod n f\v = (3 e (— ) r3 mod n A 1 = a e (— ) rs mod n A 

' ' 2/1 ' ' 51 ' ' 

r = H e G r5 mod N /\a = H e 'G r 4 mod N /\t = a e 2 mod JV/\ 
e G T f\e-i G A 1 f\e 2 G A 2 . 

Specifically, she executes as follows: 

(a) She executes the following steps: 

- Choose e! G ±{0, i}«(2Ai+fc+i) and r / e R 2* , an( j compute 5 ' = 
(1 + n ) e> mod n 2 . 

- Choose r 2 Gr ±{0, l} e ^ +2fc \ r 3 Gr ±{0, l} e G+ 2Al + 2 *+ 1 ) , and gener- 
ate: 

a ’ = g[ 2 mod n, v' = (3 e (— Y 3 mod n, u>' = a e ( — ) r3 . 

V 1 9 1 

- Choose ei Gr ±{0, l}®(* 2 + fc ), e' 2 G ±{0, i}«(*i+*+i), r ’ 4 Gr ± 
{0, i}e(*+2fe), r ' 5 £ r ±|o ) i}«d+Ai+2fe+i) ) and generate: 

t[ = H e G r ' 5 mod N. o' = H<G r * mod N, t ! 2 = cr® 2 mod N. 

(b) She computes c = %{m,n,t,g^,yi,N,G,H,5,a,l3,T,a,5' ,a' ,v' ,u>’ ,t[, 
a’, t 2 ), where H : {0, 1}* — > {0, l} fe behaves like a random oracle. 

(c) She computes (all the operations, except the computation of s ri , are in 

Z): 

s e = e' — c ■ e, s ei = e'i — c - (ei — X), s e2 = e' 2 -c-e 2 , 

s ri = r 2 c ■ r[ mod n 2 , s r2 = r 2 — c ■ r 2 , s r3 = r 3 — c • r 3, 

s ri = r\ - c • r 4 , s r5 = r' 5 - c ■ r 5 . 

(d) She sends Bob (m,c,n,t,gi,yi,N,G,H,6,a,/3,a,T,s e ,s ei ,s e2 ,s ri ,s r2 , 

S r3 ,S ri ,Sr 5 )- 

Cost: Our Sign requires 17 exponentiations, whereas [CL02] requires 25 expo- 
nentiations. Note that 2 of our 17 exponentiations are r* mod n 2 but t « n 
(e.g., \t\ = 161). See [TX03] for further discussions. 
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6.6 Verify 

Given (m,c,n,t,gi,yi,N,G,H,S,a,/3,a,T,s e ,s ei ,s e2 ,s ri ,s r2 ,s r3 ,s ri ,s r5 ), Bob 
checks if it is a valid signature as follows. 

1. Bob computes d = H(m,n,t,gi,yi, N,G,H,S,a, (3,T,a,S' ,a' ,v' ,u>' , 
t 2 ), where 

S' = (1 + n) Se (s r J t (5 c mod n 2 , a' = g s { 2 0 L c mod n, 

v' = /3 Se ( — ) Sr 3v c mod n, to' = a Se (— ) Sr 3 mod n, 
y l 91 

t[ = H Se G Sr 5T c mod N, a' = mod N, 

t 2 = <J Se 2 T c mod N. 

2. Bob accepts if c = d, s ei £ £_2 e ( A »+$t 1 , . . . ^< X2 + k )+ 1 } J Se2 £ 

••• 2 e ( Al + /c+1 )+ 1 } s e ^ { 2 e ( 2Al+fe+1 ) +1 ••• 2 e ( 2Al + /c + 1 )+ 1 } 

r^l mod N, and t ^ a b mod N where b = ±1. 

Cost: Verify, without any optimizations, requires 16 exponentiations which is 
somewhat more efficient than 21 exponentiations in [CL02]. However, we believe 
that the Verify process in the latter is incomplete; a complete version would 
require a few more exponentiations. See [TX03] for further discussions. 


6.7 Open 

Given a valid group signature (m, c, n, t, gi,yi, N, G, H, 5, a, (3, a, g, r, s e , s ei , s e2 , 
s ri , s T2 , sy 3 , .sy 4 , sy 5 j , the group manager can identify the signer by decrypting 
both w and e such that w e = v mod n. It also needs to prove that the decryption 
of w is correct; namely DLOG(gi,yi ) = DLOG(a,/3/w). 

1. It decrypts the CGHN ciphertext (5 to obtain e, and decrypts the ElGamal 
ciphertext (a, /3) to obtain w. It must hold that A 3 > e > 1. 

2. There are further two cases. 

(a) If e e 21, then it publishes: (1) the values w and e, and (2) the proof that 
DLOG(gi,yi) = DLOG{a,j3/w). Note that knowing w and e does not 
expose neither previous, nor future (even if the system policy allows), 
signatures generated by the same group member. 

(b) If e ^ 21, then it must hold that e| rive'ea e ' ■ Therefore, there must 
exist d £ 21 such that e! > gcd(e, d ) > 1. Therefore, the group member 
corresponding to accumulated d is identified (and revoked). 


6.8 Analysis 

Theorem 2. ([TX03]) The above scheme is a secure group signature scheme. 
Corollary 1. The interactive version of the above group signature scheme is a 
secure identity escrow scheme. 
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7 Discussion 

On Factorization Assumption. For typical group signature applications we 
suggest that the group manager use 2048-bit RSA moduli. For other parameters, 
we suggest (as an example): Ai = 950, A 2 = 700, e = 1.1, k = 160. This 
means that we assume the hardness of factoring large 2-prime composites, where 
(Ai — A 2 ) high-order bits of one prime are known. This assumption is stronger 
than the standard factorization assumption. However, despite the fixed prefix, 
it still seems reasonable to assume the hardness of factoring such a composite. 
(We note that a very similar assumption was used before, e.g., by Camenisch 
and Michels in [CM98].) Given partial knowledge of the factorization, the best 
factoring algorithm currently available indicates that, if the higher 475-bits of 
a prime factor are known, then one can factor n [C96]. Beyond that, no better 
result is available [C03]. Note that if the higher bits of one prime factor are 
known, then the higher bits of another factor are also exposed. Nevertheless, 
knowing (a, r = a e2 mod N) still requires an adversary to compute e 2 in 0(2 350 ) 
time (see [GOO] and the references therein). 

“Lazy” Accumulator Update? In a group signature scheme based on a dy- 
namic accumulator, it is necessary for both signer and verifier to get the updated 
accumulator whenever there is a member leaves. In the Camenisch-Lysyanskaya 
scheme, they suggest a nice trick whereby a Join may not have to trigger a group 
member to get the updated accumulator value. While this trick enables potential 
gain in communications, it may incur some serious problems in practice. Con- 
sider the following scenario: since Alice is lazy, she does not contact the group 
manager to check the current accumulator value. Instead, she waits for a broad- 
cast message from the group manager. If this message is blocked by an adversary, 
there is no way for Alice to tell if there has been an accumulator update. Con- 
sequently, Alice would generate a group signature which is valid with respect 
to the outdated accumulator value, i.e., the previous accumulator incarnation. 
However, the signature is invalid with respect to the current accumulator value. 
It is unclear how a potential dispute involving this signature can be resolved. At 
best, the verifier can abuse such a signature. 

We suggest that Alice should be diligent and prevent such anomalies by 
actively querying the group manager for the current accumulator value. This 
way, if she does not elicit any reply from the group manager, she can simple 
refuse to generate any group signatures. 

On TTP Presence. Our scheme operates in the common auxiliary string model 
which assumes a common string (the specification of a commitment scheme) gen- 
erated by a trusted third party (TTP) and made available to all participants. The 
inconvenience posed by this is not significant owing to the following mitigating 
factors: 

— The TTP’s role is only to initialize the cryptographic setting of a commit- 
ment scheme. In fact, the TTP can simply disappear after publishing the 
commitment scheme parameters since it is not involved in any future trans- 
actions. 
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- A single TTP could serve multiple group signature settings, thereby amor- 
tizing the complexity. Moreover, threshold cryptography can be used to im- 
plement a distributed TTP (see [ACS02]). 

— Currently, the most efficient method of obtaining identity escrow schemes 
(such as [KP98]) that are concurrently secure is based on the existence of 
common auxiliary strings [D00]. Therefore, the identity escrow scheme de- 
rived from our group signature scheme can be made concurrently secure 
without incurring any extra complexity. 

8 Conclusion 

We presented a dynamic accumulator construct that accumulates composites, 
and an efficient protocol for proving knowledge of the factorization of a com- 
mitted value. Based on these techniques, we developed a novel, efficient and 
provably secure group signature scheme. 
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Abstract. ESIGN is an efficient signature scheme that has been pro- 
posed in the early nineties (see [14]). Recently, an effort was made to lay 
ESIGN on firm foundations, using the methodology of provable security. 

A security proof [15] in the random oracle model, along the lines of [2], 
appeared in support for ESIGN. However, several unexpected difficul- 
ties were found. Firstly, it was observed in [20] , that the proof from [15] 
holds in a more restricted model of security than claimed. Even if it is 
quite easy to restore the usual security level, as suggested in [9], this 
shows that the methodology of security proofs is more subtle than it at 
first appears. Secondly, it was found that the proof needs the additional 
assumption that e is prime to <p(n), thus excluding the case where e is 
a small power of two, a very attractive parameter choice. The difficulty 
here lies in the simulation of the random oracle, since it relies on the 
distribution of e-th powers, which is not completely understood from a 
mathematical point of view, at least when e is not prime to <p(n). In this 
paper, we prove that the set of e-th power modulo an RSA modulus n, 
which is a product of two equal size integers p,q, is almost uniformly dis- 
tributed on any large enough interval. This property allows to complete 
the security proof of ESIGN. We actually offer two proofs of our result: 
one is based on two-dimensional lattice reduction, and the the other uses 
Dirichlet characters. Besides yielding better bounds, the latter is one new 
example of the use of analytic number theory in cryptography. 

1 Introduction 

Since the appearance of the celebrated RSA cryptosystem [18] , a lot of effort has 
been devoted to finding alternative schemes. In the area of signature, a major 
challenge is to reduce the computing effort needed from the signer, since it is 
well known that RSA requires a full-size modular exponentiation. Among the 
potential candidates to answer this challenge is the ESIGN signature scheme, 
that has been proposed in the early nineties (see [14]). While RSA generates 
signatures by computing an e-th root of a hash value, ESIGN only requests to 
find an element whose e-th power is close enough to the hash value. Thus, the 
mathematical assumption underlying ESIGN is that, given an element y of Z*, 

C.S. Laih (Ed.): ASIACRYPT 2003, LNCS 2894, pp. 287-301, 2003. 
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it is hard to find x with e-th power lying in an interval with lower endpoint y 
and length say n 2 / 3 . This is called the approximate e-th root problem, in short 
AERP. Combining this relaxed assumption with the use of an RSA modulus of 
the form n = p 2 q allows a very efficient way to sign, with a computing time essen- 
tially equivalent to a single exponentiation to the e-th power. This is especially 
attractive when e is small, and in particular a small power of two. 

As most newly proposed cryptosystems, ESIGN has attracted cryptanalytic 
effort. Papers [3,21] described several attacks against the underlying problem, 
for e = 2, 3. Still, It is fair to say that there is no known attack against AERP 
when e is > 4. Recently, in connection with several standardization efforts such 
as IEEE P1363, Cryptrec and NESSIE, an effort was made to lay ESIGN on firm 
foundations, using the methodology of provable security. A security proof in the 
random oracle model, falong the lines of [2], formally relating the security of 
ESIGN with the AERP problem, appeared in [15]. However, several unexpected 
difficulties were found. Firstly, it was observed in [20] that the proof from [15] 
holds in a more restricted model of security than claimed: this model, termed 
single occurrence chosen message attack SO-CMA is very similar to the usual 
chosen message attack scenario but does not allow the adversary to submit the 
same message twice for signature. This observation does not endanger the scheme 
in any way, and furthermore, it is quite easy to restore the usual CM A security, 
as suggested in [9]. Still, it shows that the methodology of security proofs is 
more subtle that it at first appears, a fact already pointed out by Shoup [19], 
in the context of public key encryption. Secondly, it was found that the proof 
needs the additional assumption that e is prime to <p(n), thus exluding some 
very attractive parameter choices, notably powers of two. The difficulty here lies 
in the simulation of the random oracle, since it relies on the distribution of e-th 
powers, which is not completely understood from a mathematical point of view. 
In this paper, we prove that the set of e-th power modulo an RSA modulus n, 
which is a product of two equal size integers p,q, is almost uniformly distributed 
on any large enough interval. In other words, the number of e-th powers modulo 
n in any interval of large enough length n 5 is close to , where d is the 

number of e-th roots of unity modulo n. We actually offer two proofs of our 
result. The first proof relies on methods from the geometry of numbers and uses 
two-dimensional lattices. The second proof borrows from analytic number theory 
and uses Dirichlet characters and the Polya-Vinogradov inequality. Both proofs 
yield concrete estimates, which are enough to complete the security proof of 
ESIGN. Although the estimates in the second proof are sharper, we have found 
interesting to include the two methods, which are of independent interest. 

Removing the restriction that e is prime to <p(n) may appear a side issue. 
However, we believe that it is important both for practical and methodological 
reasons. As already noted, ESIGN has has a very fast algorithm for signature 
generation, since its main step is a single exponentiation to the e-th power. 
Making e a power of two is the best way to take advantage of this feature 
and should be allowed by the security proof. Also, as shown by various results, 
notably [19,20], provable security has many subtleties. In the present paper, the 
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subtlety lies in the simulation of the random oracle. As far as we know, this is the 
only example where this part is not straightforward, and the underlying difficulty 
may easily be overlooked. In other words, it may appear obvious that picking x 
at random and suitably truncating x e mod n simulates a random oracle, which 
is the main result of our paper. However, it is not, at least when e is not prime 
to <p(n) and it is actually related with deep mathematical questions of analytical 
number theory. 

Our paper is organized as follows: we first recall some preliminaries from 
number theory. Next, we present the two proofs. Finally, we produce a proof of 
security for ESIGN, not using the assumption that e is prime to ip(n). In this 
proof, we focus on the simulation of the random oracle, and explain where our 
result on power residues is needed. 

2 Number Theoretic Preliminaries 

2.1 Lattices 

Let n be an RSA modulus. For any integer a, we consider the lattice 
L( a ) = {(a:, y) S6 Z 2 | x — ay = 0 mod n}. 

We note that L(a) is a two-dimensional lattice with determinant n. Thus, its 
shortest vector should be of euclidean norm of the order \Jn. It can be obtained 
by applying the Gaussian reduction algorithm. This algorithm outputs within 
time 0( (log n) 3 ) a basis of L(a) consisting of two non-zero vectors U(a) and 
V (a) such that 

\\U\\<\\V\\and\(U,V)\<\\Uf/2, 

where we have omitted a for clarity. From a geometrical point of view, the 
inequalities imply that the angle 9 of U and V is such that | cos 0\ < 1/2, hence 
| sin 6 1 > x/3 /2, and therefore 

|jr A V| = „>v» 

We say that L(a) is an e-good lattice if \U\ is bounded from below by n 1 / 2_e . 
Note that, for such a lattice, we have 



Lemma 1. The number of elements a in Z n such that L(a) is not an e-good 
lattice is at most 4n 1 ~ 2e . 

Proof. This follows from the fact that the shortest non zero vector of a lattice 
L(a) which is not e-good lies in the disk centered at the origin, with radius 
n 1 / 2 ~ e . This number of integers in this disk is bounded by 4n 1_2e . To conclude, 
it is enough to observe that an element (x, y) of the disk other than (0, 0) cannot 
belong to two distinct L(a) lattices, unless y is not in Z* , which cannot happen 
since n is an RSA integer, i.e. has two prime factors of almost equal size. 
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We let P be the parallelpided spanned by U and V. 

Lemma 2. Let L(a)be e-good. The width of P is at most 2n 1 / 2+£ . 

Proof. The square of the width is indeed bounded by 

\u\ 2 + |V| 2 + 2| (U, v)\ < 2\v\ 2 + |y| 2 < 3|y| 2 , 

which is bounded by 4n 1+2£ . The lemma follows. 

Lemma 3. Let L(a)be e-good. Let I be an interval of length n s , with 6 > 1/2. 
The square I x I has at most (n 5-1 / 2 + 2n £ ) 2 elements in L(a). 

Proof, let P be obtained by translating P by — T/T We consider the set X of 
lattice points M such that the parallelpiped M + P meets 7x7. The number 
of such points is clearly an upper bound for the number of lattice points inside 
7x7. Now, the various parallelpiped M+P are pairwise disjoint and, by lemma 2, 
they are contained in the square J x J, obtained by enlarging 7 by n l / 2+e on 
each side. Summing up the areas of the individual cells, we get: 

n|X| < (n s + 2n 1 / 2+£ ) 2 . 

which provides the desired bound on the number |Aj of elements of X. 

When L(a) is not e-good, we can show a weaker bound: 

Lemma 4. Let a be any integer. Let I be an interval of length n s , with 6 < 1. 
The square I x 7 has at most n s + 1 elements in L(a). 

Proof. For fixed y, there is at most one pair (a;, y) such that x — ay = 0 mod n in 
any interval of length < n, such as 7. This provides the requested bound n s + 1. 

2.2 Dirichlet Characters 

Let G be a finite (multiplicative) abelian group. A character \ over G is a 
multiplicative homomorphism from G into the multiplicative group of complex 
numbers. The set of characters over G is a group, called the dual of G and 
denoted G. Its unit xo is the principal character , defined by Xo(fl) = 1; for any 
9 € G. 

The following is well-known (see [6], chapter 7): 

Theorem 1. i) There are exactly |G| characters over G. 

ii) For any g ^ 1, the following holds: 

X! *(s) = 0 

xeG 

iii) For any x 7^ Xo> the following holds: 

X! M = 0 

geG 
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A Dirichlet character y is a character over Z* , for some integer n. The charac- 
ters can be extended to all integers by using the value 0 at integers not invertible 
mod n. In the sequel, we will need a bound on the sum of such characters over 
large intervals. This is given by the Polya-Vinogradov inequality (see [5] or [6], 
chapter 9): 

Theorem 2. For any non principal Dirichlet character x over Z* and any in- 
teger h, the following holds: 


l£x(*)l < 2y/nlnn. 

X=1 

Remark. When n is a prime number p, and, more generally when y is a so-called 
primitive character, the multiplicative constant 2 in the above can be replaced 
by 1. We will not need such refinement. 

3 Almost Uniform Density of e-th Powers 

We now turn to our main result. We first review the standard situation of an 
RSA exponent. 


3.1 The Case Where e Is Prime to ip(n) 

Lemma 5. Let n be an RSA modulus and e be an integer prime to <p{n). Let I 
be an interval of length n s , with 5 < 1. The number of integers from I which are 
e-th powers of an element ofh * differs from by at most f. 

Proof. Since exponentiation to the e-th power is one-to-one, we have to count 
the number of elements in I fl Z* . The number of multiples of p in I differs from 
,n - by at most one. Similarly for q. Since there may be one multiple of pq, the 
final count is almost K, where 


K - n s<P( n ) 

and the difference with K is bounded by 3 + — < 4. 

We now turn to the general case. Observe that the set of e-th powers is a subgroup 
of Z*. Accordingly, we will adopt this group-theoretic setting. 


3.2 A Proof Based on Lattices 

We prove the following: 

Theorem 3. Let n be an RSA modulus. Let I be an interval of length n s , with 
2/3 < S < 1. Let G be any subgroup ofh * and let d be the number of elements of 
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the quotient group h* n IG. Then, for some constant M, the number of elements 
oflnGis K(l + A(/)), where 



and |A(/)| is bounded by Mn 1 / 3 s / 2 . Furthermore, M has the explicit bound 
M < 5d. 

Remark. Observe that the case where G = Z* is an easy consequence of lemma 5. 

Proof. We number the elements of Z*/G as gi, - ■ ■ g,i (with gi the unit of G), 
and we let a,; be the number of elements of Z* n I which equal g t modulo G. We 
first show an upper bound for 

A = a i 

For any pair ( x , y) in I x I, we define <7(2;, y) as xy _1 mod n, when x, y both 
belong to Z* and set o(x, y) = oo otherwise. Observe that A can be interpreted as 
the number of elements (x, y) of Z* n I such that a(x, y) 6 G. Indeed, xy _1 mod n 
is in G if and only if x and y are equal modulo G. We now use a counting 
argument to estimate the size of a -1 (a), when a ranges over G. We distinguish 
two cases 

1. When L(a) is an e-good lattice, then, by lemma 3, o~ 1 (a) has at most 
(n s ~ 1 /‘ 1 + 2 n £ ) 2 elements. 

2. Otherwise, we use lemma 4 to get that cr -1 (a) has at most n 6 + 1 elements, 
which we replace by the (crude) bound 2 n s . 

Since there are at most 4n 1-2e values of a which give rise to a lattice L(a) which 
is not e-good, we get 

A < ^(n*- 1 / 2 + 2n £ ) 2 + 8 n 1 " 2 ^. 

Upperbounding ip(n ) by n, we get: 

A<^—( 1 + 2n ,/2 T e A )' 2 + 8 n 1_2e+5 . 
d 

We now set e = 1/6. This yields the bound 
n 2S 

A < ^—(1 + 2 n 2/3 ~ s ) 2 + 8 n 2S n 2/3 ~ s . 
a 

Since 5 is > 2/3, n 2 ^ 3 ~ 5 is < 1 and its square is bounded by n 2 ^ 3 ~ s . We finally 
get: 


A < n - r (l + (8 + 8d)n 2/3 ~ s ). 
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We now use the fact that the sum B = JT =1 * s essentially known. Referring 
to the proof of lemma 5 above, we see that it differs from 

n s 


by at most 4. Now, the vector (a 1} ■ ■ ■ , a t j) lies on the d-dimensional hyperplane 
H defined by B = i x %- Let (&i, ■ ■ ■ , b,j) be the orthogonal projection of the 
origin on H. It is easily seen that bi = B/d. The square of the euclidean distance 
between (oi, • • • , aj) and (iq. • • • . b d) is J2i= i a i + Sf=i — 2 J2i= i a A- This is 
A — we are thus led to find a lower bound for B d . Using the same estimate 
as for the proof of lemma 5, we write 


R 2 > n 2S <p(n) 
d ~ d K n 


4 n s ) 2 . 


Using the fact that we have an RSA modulus, we use the lower bound 1 — 
for and, combining with the above, obtain the final bound 


B‘ 


~ - ^ <1_ VS*' 


Finally, piecing bounds together, we get: 

B 2 n 25 

A ~°r< ^(22 H 


8d)n 2 ' 


which provides a bound for (ai —b\) 2 = (ai — B/d) 2 . Observing that we only 
have to deal with d > 2, we easily get that |ai — B/d\ is at most 


v / 19n 5 n 1 /3-V2. 


Replacing B/d by the constant 


n 5 



¥>(n) 


yields a minute difference < 4/d, which we handle by slightly raising the \/l9 
constant. Thus, oi can be written K( 1 + A(J)), with 

|A(/)|<(v / l 9 + 7 )d^n 1/3 - 5/2 , 
p(n) 

We finally handle the term ^T-j-by raising the constant again. This gives the 
requested bound 


|A(/)| < bdn 1 ^- 5 ' 2 . 
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3.3 A Proof Based on Characters 


We now show that a better bound for A(7), can be obtained as a consequence of 
the Polya-Vinogradov inequality of theorem 2. 

Theorem 4. Let n be an RSA modulus. Let I be an interval of length n s , with 
1/2 < S < 1. Let G be any subgroup ofL* n and let d be the number of elements of 
the quotient group 7A n fG. Then, for some constant M, the number of elements 
of in G is 77(1 + A(7)), where 


K = 


n s 
¥ 


Tin) 


and |A(7)| is bounded by Mn 1 / 2 s Inn. Furthermore, M has the explicit bound 
M < 5d. 

Proof. We consider the dual H of the quotient group 77 = Z*/G. For any char- 
acter x over 77, we can extend x to G, by composing with the canonical homo- 
morphism from G onto 77. We still denote by x, the resulting caracter. Since 
there are d characters altogether, we get, using the relations in theorem 1, that 
the number of elements of I fl G is equal to the sum 

*ei x eG 

Changing the order of the sums, we see that this number consists of two terms: 

1. one comes from the principal character and equals: ■ 

2. the others come from the non trivial characters, and, by the Polya- 
Vinogradov inequality, each is bounded by ^n^lnn. 

By lemma 5, the first contribution differs from 

Tin) 


by at most | . Summing up with the second contribution, we obtain the bound: 

4 4(d-l ) nl/2lnn < 4n V2 lnn _ 

a a 

Altogether, we obtain that the number of elements of / fl G is K(1 + A (/)), with 

A(7) <dd^—n l ^~ s \nn, 

Tin) 

Using the fact that n is an RSA modulus, we estimate g>(n), by n(l—&/ ^Jn), 
and bound the multiplicative constant by a term 


This is bounded by 5. The result follows. 
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It should be noted that an even better bound has been obtained by Burgess 
[4]. The bound covers the case 1/4 < 6 < 1, and reads: 

\X(I)\ < Mdn^-^lnn, 

for any positive r. However, the constant M is not not explicit, and therefore the 
improvement is not well suited for our purposes. 

4 The Security Proof of ESIGN 

In this section, we review the proof of security for ESIGN in view of the previous 
results. For the reader’s convenience, we first provide a short description of the 
scheme and of the underlying mathematical problem AERP. We follow [15]. 


4.1 Description 

The key generation algorithm of ESIGN chooses two large primes p, q of equal 
size k and computes the modulus n = p 2 q. The sizes of p, q are set in such a 
way that the binary length |n| of n equals 3k. Additionally, an exponent e > 4 
is chosen, possibly a small power of 2. 

Signature generation uses a hash function H, outputting strings of length 
k — 1, and is performed as follows: 

1. Pick at random r in Z* q . 

2. Convert (0||'R(rn)||0 2fe ) into an integer y and compute z = (y — r e ) mod n. 

3. Compute 

wo = r-i 

pq 

w\ = WQ.pq — z 

4. If uq > 2 2fc_1 , return to step 1. 

5. Set u = wo .(er e_1 ) _1 mod p and s = r + upq. 

6. Output s as the signature of m. 

Signature verification converts integer s e mod n into a bit string S of length 
3k and checks that [S] k = 0||7f ( to), where [.S'] k denotes the k leading bits of S. 

The key idea in ESIGN is that the arithmetical progression r e mod n + tpq 
consists of e-th powers of integers easily computed from r. The signature gen- 
eration algorithm simply adjusts t so as to fall into a prescribed interval, with 
lower end-point y. The test at step 4 actually sets the length of this prescribed 
interval to 2 2fc_1 . 

The following lemma will prove useful in the sequel. 

Lemma 6. For a fixed message m, the e-th power s e mod n of the output s of 
the signature generation algorithm is uniformly distributed over the set of e-th 
powers of elements ofZ * lying in the interval [y,y + 2 2fe_1 ). 
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Proof. Denote by S(y) the intersection of the set of e-th powers in Z* and the 
interval [y, y + 2 2k ~ 1 ). Observe that s = r + tpq uniquely defines r = s mod pq 
from s. This shows that any element in S(y) comes from a single r. To see 
that all elements in S(y) are uniformly hit, pick w £ S(y), consider any r in 
Z* q such that r e = w mod pq, and apply the signature generation algorithm 
with r, disregarding the check at step 4. This produces a value of s such that 
s e = r e = w mod pq. Thus, w and s e mod n lie in the arithmetical progression 
s e + tpq. Since this arithmetical progression has a single element in the interval 
[y,y + 2 2fc_1 ), we get that s e mod n = w. The check at step 4 turns out correct 
and the signature generation algorithm duly hits w as many times as the number 
of e-th roots of an e-th power. 


4.2 The Approximate e-th Root Problem 

As noted in the previous section, RSA moduli of the from p 2 q offer a very efficient 
way to solve the following problem, having knowledge of the factorization of n: 
given n and y in Z*, find x such that x e mod n lies in the interval [y,y + 2 2fe_1 ), 
where the bit-size of n is 3 k and [y, y + 2 2fe_1 ) denotes {u\y <u<y + 2 2fe_1 }. 

It is conjectured that the above problem, called the approximate e-th root 
problem (AERP) in [15], is hard to solve. More precisely, denote by Succ aerp (r, k) 
the probability for any adversary A to find an element whose e-th power lies in 
the prescribed interval, within time r, in symbols: 

Pr[(n, e) *- /C(l k ),y <- Z n ,x 4r A(n,e,y) : ( x e mod n) £ [y,y + 2 2fe_1 ):], 

then, for large enough moduli, this probability is extremely small. Variants of 
the above can be considered, where the length of the interval is replaced by 2 2k 
or 2 2k+1 . 


4.3 Security Proof 

We now complete the security proof of ESIGN, in order to cover the case where 
e is not prime to <p(n). We use the the random oracle model and prove the 
following security result, where T exp (k) denotes the computing time of modular 
exponentiation modulo a 3&;-bit integer. 


Theorem 5. Let A be a SO-CMA-adversary against the ESIGN signature 
scheme that produces an existential forgery, with success probability e, within 
time t, making qn queries to the hash function and q s distinct requests to the 
signing oracle respectively. Then, AERP can be solved with probability s' , and 
within time t' , where 


f — 2 _fe+1 

d > ( qH + q s ) X (3/4) fc 

Qh 

t' <t + k(q s + q H ) ■ T exp (k). 


ke 2 (q H + q s ) 
2 k ~ 6 



Almost Uniform Density of Power Residues 297 


Our method of proof is inspired by Shoup [19]. It differs from [15] but extends 
the proof given in [20]. The security estimates are similar and show the same 
multiplicative loss qn- contrary to schemes based on self-reducible problems, 
it does not seem that this can be avoided. Recall that earlier proofs used the 
assumption that e is prime to <p(n), which we avoid. This brings additional terms 
in the security estimates, which account for the simulation of the random oracle. 
Also note that our security model is the single occurrence chosen message attack 
SO-CMA from [20], where the attacker is only allowed to query each message 
once. As already noted, it is easy to modify the scheme to withstand CM A 
attackers and our proof can be modified accordingly. 

As usual, the proof considers a sequence of Gamei, Game 2 , etc of modified 
attack games starting from the actual game Gameo- Each of the games operates 
on the same underlying probability space, only the rules defining how the view 
is computed differ from game to game. 

Proof, (of Theorem 5). We consider an adversary A outputting an existential 
forgery (m, s), with probability e, within time r. We denote by Qh and q s re- 
spectively the number of queries from the random oracle 77 and from the signing 
oracle. As explained, we start by playing the game coming from the actual ad- 
versary, and modify it step by step, until we reach a final game, whose success 
probability has an upper-bound obviously related to solving AERP on a random 
instance (n,e,v). 

Gameo: The key generation algorithm K,(l k ) is run and produces a pair of keys 
(pk, sk). The adversary A is fed with pk and, querying the random oracle 77 
and the signing oracle A sk , it outputs a pair (to, s) . We denote by So the 
event that V p k (m,s) = 1. We use a similar notation Si in any Game* below. 
By definition, we have 

Pr[S 0 ] = £• 

Gamei: In this game, we discard executions, which end up outputting a valid 
message/signature pair (to, s), such that to has not been queried from 77. 
This means restricting to the event AskH that m has been queried from 77. 
Unwinding the ESIGN format, we write: s e = 0 || w || * modn. If AskH does 
not hold, 77 (to) is undefined, and the probability that 77 (to] = w holds is 
tf2 k ~ 1 : Pr[So | -AskH] < 2~ k+1 . Thus, 

Pr[Si] = Pr[S a A AskH] > Pr[S 0 ] - 2~ k+1 . 

Game 2 : In this game, we choose at random an index k between 1 and qn. We 
let m K be the K-th message queried to 77 by the adversary. We then discard 
executions which output a valid message/signature pair (to, s), such that 
to ^ m K . Since the additional random value k is chosen independently of 
the execution of Gamei, 


Pr[S 2 ] = Pr [Si}/q H . 
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Games: In this game, we immediately abort if a signing query involves message 
m K . By the definition of existential forgery, this only eliminates executions 
outside S' 2 . Thus: 

Pr[S 3 ] = Pr[S 2 ]. 

Game 4 : We now simulate the random oracle H, by maintaining an appropriate 
list, which we denote by H-List. For any fresh query m, other than the K-th 
query, we pick at random u € Z n and compute z = u e mod n, until the 
most significant bit of z is 0. We next parse 2 as 0 || tv || *, where w is of 
length k — 1 and check whether z — w ■ 2 2k is less than 2 2fc_1 . If this is true, 
we store (m,u,w) in H-List and returns w as the answer to the oracle call. 
Otherwise we restart the simulation of the current query. From theorem 4, we 
see that the game differs from the previous due to a slightly biased simulated 
distribution. This distribution is obtained by setting 2 = w2 2k , counting the 
number of e-th powers of elements of Z* lying in the interval [ 2, 2 + 2 2fe_1 ), 
and multiplying by a suitable constant for normalisation. Recall that, an 
element x of [ 2, 2 + 2 2k ~ 1 ) is an e-th power modulo n if and only if x mod pq 
is an e-th power modulo pq. This is basically a restatement of the key idea 
of ESIGN. Thus, setting z' = 2 mod pq, we have to count the number v(z) 
of elements of the interval [ z',z ' + 2 2k ~ 1 ), which belong to the subgroup 
G of e-th powers in Z* ? . By theorem 4, the result is K(1 + A( 2 )), where 
|A( 2 )| is bounded by M(pq) 1 ^ 2 2~ 2k+1 In pq, and where K, M are appropriate 
constants. This yields 


|A(2)| < M2~ k+1 / 2 \npq 
Upperbounding In pq by 3/2 log pq, we get: 

|A(2)| < 3Mk2~ k+1 / 2 

Now, it is easily seen that any probability distribution obtained by normal- 
izing a function v{£) = K( 1 + A( 2 )), where A( 2 ) is bounded by A, differs 
from the uniform distribution by at most ~ 2A. Taking into account the 
bound M < 5 d, where d is the number of elements of the quotient of Z* q 
by the sugroup of e-th powers, and bounding d by e 2 , we conclude that the 
statistical distance of the simulated distribution to the uniform distribution 
is bounded by twice the bound on A, which is 30e 2 fc2 -fc+1 / 2 < 64e 2 fc2 -/c . 
Summing up for all oracle calls, we get: 


|Pr[5 4 ]-Pr[5 3 ]|< fce2( ^ 9s) - 

Game 5 : Here, we modify the previous simulation stopping and aborting the game 
when the H query cannot be simulated after k trials. This game differs from 
the previous one when w remains undefined after k attempts. 

Pr [S 5 \ > Pr[S 4 ] - (q H + q.) x (3/4) fe . 
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Gamee: We complete the simulation by replacing H(m K ) by v, where v is an 
additional random string, which serves as an input to the AERP problem. 
The distribution of %-outputs is unchanged: 

Pr[S 6 ] = Pr[S 5 ]- 

Game 7 : We finally simulate the signing oracle: for any m, whose signature is 
queried, we know that m = m K does not hold, since corresponding executions 
have been aborted in Game 3 - Thus H-List includes a triple (m, u, w), such that 
u e mod n has its k leading bits of the form 0 || ’U(rri). Accordingly, u provides 
a valid signature of m. Furthermore, referring to lemma 6, we see that the 
signing oracle outputs a value s, such that s e mod n is uniformly distributed 
over all elements of Z* whose k + 1 leading bits match up with 0||7f (A/) ||0. 
Keeping in mind that H(m) is chosen at random, we conclude that s and u 
follow an identical distribution. We now argue that the simulation is perfect. 
The key fact is that, due to the SO-CMA setting, all inputs m submitted 
to the H oracle by the signing oracle during execution are distinct. This 
implies that the values of s returned at each invocation of the signing oracle 
are independent. Since the values of u are also independent, the overall 
distribution of simulated signatures obtained at Game 7 is identical to the 
distribution of actual signatures from Game6- Therefore, 


Pr[S 7 ] = Pr[S 6 ]. 


Summing up the above inequalities, we obtain 
Pr[S 7 ] > Pr[S 4 ] - (<w + 4.) x (?)* > Pr[S a ] - (q„ A 

> p £!Al_ ta+ ,,)xA._‘%±M 

q H 4 2 fc ° 


ke 2 (q H 


- - ( QH + q s ) x (-)* 


ke 2 (q H +q s ) 

2 k-e 


When Game 7 terminates outputting a valid message/signature pair (m, s), we 
unwind the ESIGN format and get s e = (0 || v || *) mod n, with v = If S 7 

holds, we know that m = rn K and Him) = v. This leads to an element whose e-th 
power lies in the interval [v2 2 k ,v2 2k + 2 2k ), thus solving an instance of AERP. 
We finally have: Pr[SV] < Succ aerp (V, fcj, where r' denotes the running time of 
Game 7 . This is the requested bound. Observe that t' is the sum of the time for 
the original attack, plus the time required for simulations, which amounts to at 
most k(q s + qn) modular exponentiations. 


Remark. The security proof that appears in [15] replaces the k multiplicative 
factor in the running time by 4. This is intuitively related to the fact that, on 
average, it takes at most 4 steps to perform the simulation of each call to % in 
Game.i. It is actually possible to improve our time estimate 

t' < t + k(q s + q H ) ■ T exp (k), 
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to 

t' <t+ 4 (q s + q H ) ■ T exp (k), 

This uses a method due to Jonsson [12]. It modifies the strategy for the simu- 
lation of TL in Games: instead of limiting the number of trials allowed, at each 
execution, to find a value of 2 in the correct range, it sets a counter that bounds 
the overall number of retries, during the entire algorithm. 
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Abstract. We present an algorithm that finds polynomials with many 
roots modulo many primes by rotating candidate Number Field Sieve 
polynomials using the Chinese Remainder Theorem. We also present an 
algorithm that finds a polynomial with small coefficients among all inte- 
gral translations of X of a given polynomial in 7Z\X], These algorithms 
can be used to produce promising candidate Number Field Sieve poly- 
nomials. 

1 Introduction 

The Number Field Sieve (NFS) [1] is the fastest (asymptotically) known general 
integer factorization algorithm. When attempting to factor an integer N with 
NFS, we must first choose a polynomial / £ ^[X] with a known root m modulo 
N. When / has many roots modulo many small primes, then we say / has good 
root properties. If the magnitude of values taken by / are small, then we say 
that / has small size. It can be shown (heuristically) that if / has good root 
properties and has small size, then NFS should run faster than when / does not 
have these properties. 

Procedures for generating candidate NFS polynomials with good root prop- 
erties and small size are described in [2]. Specifically, through the use of rotations 
and translations, we hope to generate polynomials with better than average root 
properties and size. In Sect. 2 we recall some basic facts about homogeneous 
polynomials and their roots modulo primes. In Sect. 3 we then recall the stan- 
dard method for generating candidate NFS polynomials. In Sect. 4 we describe a 
method for rotating candidate NFS polynomials to generate new candidate NFS 
polynomials with many distinct roots modulo many primes. We discuss how to 
find potentially small polynomials among polynomials of the form f(X — a), 
where / e ZZ{X\ is fixed and a£ 2Z in Sect. 5. We present an algorithm in Sect. 

6 that finds candidate NFS polynomials with good root properties and small 
size based on the methods discussed in Sect. 3-5. Finally, we conclude in Sect. 

7 with a discussion of how “good” candidate NFS polynomials generated by the 
algorithms presented in this paper should be. 
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2 Root Properties 

Suppose / = ddX d + • • ■ + oo € ZZ[X\ is a polynomial of degree d and p £ 7Z 
is prime. The homogenization of / is the polynomial F € Z[X,Y\ defined by 
F(X, Y ) = Y d f(X/Y). A co-prime pair (a, b) is a root of F modulo p if F(a, b) 

0 mod p. We shall sometimes refer to (a, b) as simply a root of F if the prime p 
is understood. Thinking of (a, b) as a point on the projective line IP 1 (F p ), we 
follow the language of [2] and divide roots into two classes: 

— Projective Roots: A root (a, b) where p divides b is called projective. Note 
that F will have projective roots if and only if p divides a r j. 

— Regular Roots: A root (a, b ) where p does not divide b is called regular. 
Here, (a, b) is a regular root iff /(a6 _1 ) = 0 mod p, where 6 _1 is calculated 
in F p . A regular root (a, b) with p \ a is sometimes called a zero root. 

3 Base-m Method 

Given positive integers m, N with m < N, it is not difficult to find a polynomial 
/ € YZ,\X\ such that f(m) = 0 mod N. A well-known method for doing this 
is the base-m method described in [1] . If N = a^m^ + • • • + ao is the base-m 

representation of N, where 0 < a* < m, then by taking f(X) = adX d H h ao 

we have /(m) = 0 mod N . Given d, the degree of / can be chosen to be d by 
taking 

|aT3TtJ < m < J 

and constructing / as above. Furthermore, suppose we want to construct a poly- 
nomial with leading coefficient L and degree d. If 1 < L < A rl /b i + 1 ) _ p then it 
is not hard to see that a base-m polynomial with 



will have leading coefficient = L. 

Finally, we can arrange — [m/2j < a, < [m/2j for Q < i < d by using the 
transformation 


if ai > \m/2\ ,then 


a i+1 i — 1 + dj-)_ i 

for / = (),! .d 1 . It should be noted that this transformation may change the 

leading coefficient. This happens precisely when aa-i > [rri/2\ , after applying 
the transformation. If a^-i ~ \m/2\, then |a. d _i | lo^-i — m| so we can leave 
ad- i alone; otherwise, we can change the value of m and start over. 

We summarize the above with the following algorithm: 
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Algorithm 1. (Modified base-m method) Let i, d, L, and N be positive integers 
with 1 < L < N 1 /( d+1 ' ) — 1. This algorithm attempts to find an integer to and 
a polynomial / = adX d + • • • + ao € 2?[X] with a d = L and \aj\ < m/2, for 
0 < j < d — 1, such that /(m) = 0 mod N. The parameter i allows the user to 
vary the value of m. 

1. [Generate m] Set to <- i + 3 J . If m > > then print “i is 

too big” and terminate the algorithm. 

2. [Build base-m representation of N ] Set temp «— N. For j = 0, . . . , d, do 

a,j <— temp mod to 

temp «— ( temp — a,j)/m. 

3. [Adjust a j] For j = 0, 1, . . . , d — 2, do 
If a,j > [m/2j, then 

Uj+l t— 1 + dj+ 1- 

4. [Build polynomials] Set 

f 1 (X)^a d X d + --- + oo- 
If a<i - i > |_ m /2j then set 

Ctd—l ^ &<!— 1 

CLd 1 + a d 

f 2 {X) ddX d + • • • + Cloi 
otherwise set 

MX) h(x). 

5. [Output and Terminate] If the leading coefiicient of MX) is L, then re- 
turn to and MX) and terminate the algorithm. Otherwise, if the leading 
coefiicient of fi(X) is L, then return to and j\ ( X ) and terminate the algo- 
rithm. Finally, if neither leading coefiicient is L, then print % is too big” 
and terminate the algorithm. 

Note that the homogenization of the polynomial generated by Algorithm 1 
will have projective roots modulo each prime dividing L. 

4 Rotations 

Suppose / e ZZ[X\ is a polynomial of degree d with root to modulo N. Then 
g = f + (b r X r + ■ ■ ■ + bo)(X — to), with 0 < r < d, is a polynomial of degree d 
(unless r = d— 1 and b d ~ i = —a,i) with root to modulo N. We call the polynomial 
b r X r + ••■ + bo a rotation of /. Given a finite set of powers of distinct primes 
S, we look for a rotation that yields a polynomial with good root properties 
with respect to S. In [2], linear rotations (r = 1) are found using a sieve-like 
procedure. We present an algorithm that finds promising higher degree rotations 
using the Chinese Remainder Theorem (CRT). The basic idea is to first choose 
roots kij mod p/’ . Then for each i find a rotation that yields a polynomial with 
roots kij mod p/‘ , and finally use CRT to find a single rotation that yields a 
polynomial with roots kij for all i,j. 
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Suppose S = {pi 1 , ... ,pl s }, where p t pj unless i = j, and e* > 1 for all 
i. For each p t and each 0 < j < r, choose k,.j such that 0 < kij < Pi, kij ^ hp 
unless j = l, and p, does not divide m—kij. This requires r < pi — 2 for all i. Now 

set Zij = (to — kij) -1 f (kij) mod If we set g = f + ( b r X r H b f>o)(W — to), 

then k^ will be a root of g modulo p) 1 for 0 < j < r if 


b r klj H + bikij + bo = Zij mod p . 

To determine the bi modulo pp 1 , we must solve the matrix congruence 


( 1 kio ki 0 ■ ■ ■ /c[ 0 

1 k ir k% ■ ■ ■ k r ir 




mod 


(1) 


We have chosen the k t j so that we may solve this system uniquely. Let 
(bio, . . • , bi r ) T denote the unique solution vector modulo p\ l . Finally, we solve 
the system of linear congruences 

bj = bij modpj 1 
bj = &2j mod P2 2 


bj = b s j rnodp® 8 

using CRT, for each 0 < j < r. 

We now have a polynomial g = f+(b r X r -\ \-bo)(X—m) such that g{hj) = 

0 mod p^ for 0 < j < r and 1 < i < s. We should note that the coefficients of g 

may be larger than the coefficients of /. Explicitly, if / = a,iX d H b « 0 ; then 

g = CdX d + b Co, where 

{ ad + b d -i if i = d 

a,i + bi - 1 — mbi if 1 < i < d , (2) 

ao — mbo if * = 0 

where bi = 0 if i > r. 

Now let C = II 1= 1 P?- We would usually take the bi as the least positive 
residue modulo C, but it should be noted that we may as well take b, + 1C, 
where l € ZZ, if it suits our purposes. In the best case scenario, we can choose 
the bi so that g is a skewed polynomial with coefficients that grow geometrically 
(roughly) from Cd to Co- If this is not the case, then it may be possible by using 
a suitable translation (see Sect. 5). Finally we note that if / has many roots 
modulo many primes, then its homogenization F will have many regular roots 
modulo many primes. 

We summarize this discussion with the following algorithm: 

Algorithm 2. (Rotation) Let / € 2Z[X] be a polynomial of degree d, with root 
to modulo N. Let S be a finite set of powers of distinct primes S = {pi 1 , . . . , p % s } 
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and 0 < r < d. This algorithm finds a polynomial g £ ZZ[X\ with root m modulo 
N and at least r + 1 distinct roots modulo each G S. If r — d I , then the 
degree of g will be either d or d — 1; otherwise the degree of g will be d. 

1. [Check parameters] Order the primes so that Pi < p 2 < • • • < p a . If r > 
Pi — 2, then print “Either r is too big or p\ is too small” and terminate the 
algorithm; otherwise proceed to the next step. 

2. [Pick roots and build Zij] For i = 1, ... ,s, do 
For j = 0, . . . , r, do 

hj <~j 

<— (to — kij)~ 1 f(kij ) mod p^. 

If kij = m mod p}' for some j, then set kij <— r + 1 and recalculate Zjj. 
Note: there will be at most one such j for each i. 

3. [Build bjj] For i = I .... , s. calculate (b i0 , . . . , b ir ) T from (1). 

4. [Build b i using CRT] For j = 0, 1, ..., r, solve 

bj = bij modpj 1 
bj = b 2 j modpJ] 2 

bj = b s j modp® s 
using CRT. 

5. [Build g{X)\ Define c, as in (2) and set 

g(X) <- C d x d + ■ ■ ■ + co. 

6. [Output and Terminate] Return g(X) and {kij} and terminate the algo- 
rithm. 


5 Translations 

Let us fix a polynomial f(X) = a d X d H \-cto € &[X] with a d ^ 0. Note that 

for a e "ZZ, the roots of f(X — a ) G ZZ[X] will just be the roots of / translated by 
a. However, the coefficients of f(X — a) will not (in general) be the coefficients 
of /. So f(X — a) has the same root properties as /, but perhaps differs in size. 
We now examine the effect of translation on the coefficients of /. 

We define Tf(U) = {f(X — a) \ a £ U}, where we will be interested in the 
cases U = ZZ, 1R. Also, fix u = (ui 0 , . . . , uj d ) e IR d+1 and let 

|| a d X d H 1 - ciq 11^,00 = max la/jOyf 


\\a d X d 4 1- ao||w,k — 

We will use the more covenient notation || • Hoc and || • ||/ ;; and drop u> from the 
notation. Since polynomials with small coefficients tend to have small size, we 
will refer to ||/||oo as the size of /. For our fixed / and w, we seek h G 
with minimal size. The following proposition is the first step in finding such an h. 
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Proposition 1. Fix f £ Z£[X] with deg(f) = d, and u> £ Ht d+1 . Let k > 1 and 
take gk, h £ Tf{Z) with 



Then 

Moo <(d+l)*|N|oc • 

Proof. Let gk = bdX d H + bo, and h = c ( jX d -| b cq. It is easy to see that 

IlSfclloo < \\9k\\k- Let r k = \\gk\\k and suppose that |w»c»[ < r k /{d+l)i for all i. 
Then 

Mil = £ M k <(d+ 1) = r k k = hkfk 

which implies that ||/i||fc < ||p fc ||fe, a contradiction since \\gk\\k is minimal in 
Tf(Z). So there must be some i such that |w,Cj| > r k /(d + 1)*. But this means 
that \\h\\oo > r k /(d+ (|i, which immediately implies \\gk\\k < (d+ l)*||/i||oo- 

Proposition 1 gives us the tool we need to find h. 

Corollary 1. If k > i n( ^j^i ) > then M|U = MU- 

Proof. For k > 1, Proposition 1 says that 

o < Halloo -Moo <((d + i)^-i)||/i|U . 

But since \\h\\oo < ||/||<xm we have 

0 < Woo- Halloo <((d+l)i-l)||/||oo . 

Now ((d + l)i - 1)11/1100 -b 0 as k -> oo. But since ||<7 fc Jioc - Halloo is a 
nonnegative integer, as soon as ((d+ 1)»— 1) ||/||oo < 1> we must have Halloo = 
Halloo- 

Notice that although Corollary 1 gives us a way of finding h with minimal 
size in Tf(&) in theory, there is little hope of using this result in practice. In 
fact, lnx ~ x — 1 when i ~ 1, so the denominator of the lower bound will be 
approximately H/H" 1 , when \\f\\oo is large. If we were to try to use Corollary 1, 
we would end up having to find the critical points of a degree kd polynomial, 
as we shall see shortly, which is clearly unreasonable when k is very large. With 
that said, Proposition 1 says that even for small k we can generate a polynomial 
with size equal to a rather small constant times |p||so. With this in mind, let us 
now consider how we can find gk as defined in Proposition 1. Observe that 
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f(X-*) = T,Lo a i(X-aY 

=Y,Lo*iT,u( i j )(- a y- jxj 



= T,UpM) xj 


where 

P;(o*) =X>< Q) {-ay~ j ■ 

Now define m k (a) = JT=o ( w *P*( a )) fe and change variables to get m k (X) = 
Yjj-o i^iPiiXyb. Let k be even. Then m k (X) is a polynomial of degree kd, with 
m k (X) > 0 and m k (a) = ||/(X — a)||^. Finding the value in 2Z at which m k (X) 
achieves its absolute minimum is a straightforward task for small k. 

We summarize this discussion with the following algorithm: 

Algorithm 3. (Translation) Let / £ 2Z \X\ be a polynomial of degree d, let k 
be a positive even integer and let uj £ IR C +1 . This algorithm finds a polynomial 
g k £ ZZ[X\ and a k £ 2Z , with gk(X) = f(X — oik) and ||<?/c||<x> less than or 
equal to (d + 1)* times the size of a polynomial in Tf{2Z) of minimal size. In 
the process of computing gk, the algorithm will compute the critical points of 
a polynomial of degree kd. If k > k := |" i n y y - ' ) ] > then the algorithm will 
instead compute the critical points of a polynomial of degree Kd, and gk will 
have minimal size in Tf{ZZ). 

1. [Generate k] Set 

f ln(rf+l) 1 

fy _ I | 

miniman ■£- false. 

2. [Is k too big?] If k > k, then set 

k 4 — k if k is even; 
otherwise set 
k£- K + l 
minimall £- true. 

3. [Generate translate coefficients] For j = 0, 1, . . . , d, set 

4. [Build m k (X)] Set 

m k (X) <- ( uj d p d (X)) k H h (u 0 Po(X)) k . 

5. [Find critical numbers] Find a k i, . . . , a kl such that m' k (aki) = 0 for all i. 

6. [Identify a k ] Find a k £ {\a k i\, \c*ki\}\=i such that 

m k (a k ) < m k {\a ki \),m k {\aki\) for all i. 

7. [Build g k ] Set g k <-f(X-a k ). 

8. [Output and Terminate] Return a k and g k . If minimall = true, print “This 
polynomial has minimal size in Tf(2Z)." In either case, terminate the algo- 
rithm. 
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6 Candidate NFS Polynomials 

We can use Algorithms 1-3 to generate candidate NFS polynomials. More pre- 
cisely, let us fix a positive integer N that we wish to factor and d > 1. Pick a 
suitable leading coefficient L, divisible by many small primes. We use Algorithm 
1 to generate a polynomial /i of degree d with leading coefficient L and root to 
modulo N. We can then use Algorithm 2 to rotate /i by a polynomial of degree 
r = d — 2. This generates a polynomial with at least d — 1 roots modulo 
each element in some fixed set S of small powers of distinct primes. Also, /2 
has leading coefficient L and root to modulo N. Finally, we use Algorithm 3 
with a suitable choice for uj to produce a polynomial / 3 which has all the root 
properities as / 2 , with perhaps minimal size in Tf 2 (Z5). 

At this point, we have a candidate NFS polynomial with good root properties 
and small size. However, if this polynomial is not satisfactory for some reason, 
adjustments can be made to generate more polynomials. For example, we may 
generate many candidate NFS polynomials by varying i and L in Algorithm 
1, S in Algorithm 2, or oj in Algorithm 3. The following algorithm combines 
Algorithms 1-3 to produce candidate NFS polynomials: 

Algorithm 4. (NFS candidate polynomial) Let iV > 1 be a number that we 
wish to factor, L, d, and i be positive integers, S = {p® 1 , . . . , p® 3 } be a finite set 
of small powers of distinct primes, and u> £ IR d+1 . This algorithm attempts to 
produce a candidate NFS polynomial with at least d — 1 roots modulo every 
Pi* e <5- 

1. [Generate a base-m polynomial] Generate to and /i from Algorithm 1, us- 
ing inputs i,d,L and N. If Algorithm 1 returns an error message, print the 
error message and terminate the algorithm. 

2. [Rotate /i] Generate / 2 and {kij} from Algorithm 2, using inputs / 1 , d, to, 
N, S, and r = d— 2. If Algorithm 2 returns an error message, print the error 
message and terminate the algorithm. 

3. [Translate / 2 ] Generate / 3 and a from Algorithm 3, using inputs / 2 , d, and 
ui. If Algorithm 3 generates a message, print the message. 

4. [Translate k l3 ] For all i,j set: 

kij <— kij + a. 

5. [Output and Terminate] Return / 3 and {k i:l } and terminate the algorithm. 

7 Conclusion 


One may wonder how “good” candidate NFS polynomials generated by Algo- 
rithm 4 will be. Let f £ ZZ[X\ have degree d and F £ 2Z\X, Y] be the homoge- 
nization of /. One measure of “goodness” is 


a B (F) = 

p<B 


lnp 

P-1 
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where the sum is over all well-behaved primes (primes that do not divide the 
discriminant of /) less than or equal to some bound B, and q p is the number 
of roots (regular and projective) of F modulo p, as defined in [2]. Heuristically 
and roughly speaking, we expect a typical value F( x, y) to behave like a random 
integer of size F(x,y) ■ e aB ^ F \ So the more negative ari(F) is, the “better” F 
should be. But clearly as{F) will be more negative whenever q p is large for 
small primes p. Now 0 < q p < d + 1. However, by using Algorithm 4 we can 
force q p > d for each p t \ L with £ S. If S = {p® 1 , . . . ,p® 8 } with pi < p -2 < 
• • • < p s < B, with r < pi — 2, then we will have a polynomial F which very 
likely has as(F) 0. Finally, by adjusting the coefficients after the CRT-step, 
or by using Algorithm 3, one hopefully has a suitable polynomial for factoring 
N using the Number Field Sieve. Future work will be devoted to identifying 
optimal parameters (i.e. L, S, u>) for a given N. 
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Abstract. The best practical algorithm for class group computations in 
imaginary quadratic number fields (such as group structure, class num- 
ber, discrete logarithm computations) is a variant of the quadratic sieve 
factoring algorithm. Paradoxical as it sounds, the principles of the num- 
ber field sieve, in a strict sense, could not be applied to number field 
computations, yet. In this article we give an indication of the obstruc- 

In particular, we first present fundamental core elements of a number 
field sieve for number field computations of which it is absolutely un- 
known how to design them in a useful way. Finally, we show that the 
existence of a number field sieve for number field computations with a 
running time asymptotics similar to that of the genuine number field 
sieve likely implies the existence of an algorithm for elliptic curve related 
computational problems with subexponential running time. 

Keywords: imaginary quadratic number fields, class groups, number 
field sieve, imaginary quadratic function fields, hyperelliptic curve dis- 
crete logarithm. 


1 Introduction 

The best practical algorithm for class group computations in quadratic num- 
ber fields so far is a variant of the quadratic sieve algorithm. In the imagi- 
nary quadratic case such computations include the computation of class struc- 
tures, class numbers, discrete logarithms, and Diffie-Hellman secrets; in the real 
quadratic case such computations include the computation of regulators, fun- 
damental units, and principal ideal generators. In this article we focus on the 
imaginary quadratic case, though, some arguments may be generalized to the 
real quadratic case or even to the case of number fields of arbitrary degree. 

We refer to the quadratic sieve algorithm for the imaginary quadratic case as 
by the IQ-MPQS. The IQ-MPQS has an asymptotic running time proportional 

C.S. Laih (Ed.): ASIACRYPT 2003, LNCS 2894, pp. 311-325, 2003. 
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to L\a\ [5, Ci + o(l)] for some positive constant Ci (numerical evidence strongly 
suggests that ci = 1), where A is the discriminant. 


1.1 Our Result 

It is tempting to ask whether the number field sieve could not be used for number 
field computations as well. In fact, before the invention of the number field sieve 
the quadratic sieve was the best known algorithm to factor large integers, and 
the principles of the number field sieve could be profitably applied to many 
other computational problems which admit to algorithms of index-calculus type. 
However, paradoxical as it sounds, the number field sieve does not seem to work 
for number field computations. 

In this article we give an indication of the obstructions in the imaginary 
quadratic case; we refer to the number field sieve in this case as by IQ-NFS. It 
must be clear, though, that if we ask for an IQ-NFS, then we mean to find an 
algorithm that is superior to the IQ-MPQS, i.e. having an asymptotic running 
time proportional to L\a\ [|,C2 + o(l)] for some positive constant C2, or even 
L\a\ [|,C3 + o(l)] for some positive constant C3 non-negligibly smaller than 1. 

By examining the connection between the number field computations and 
function field computations, we also show that an IQ-NFS with a running time 
proportional to L\a\\\,ca + o(l)] for some positive constant C4 could almost 
certainly be exploited to develop an algorithm for elliptic curve related compu- 
tational problems. 

We will conclude that if there exists an IQ-NFS, it will most likely not be 
superior to the IQ-MPQS, and if it did, its design would probably not follow 
that of the genuine NFS. 

We must point out that this article is of somewhat speculative nature, and 
thus it should be understood as a starting point for further research. 


1.2 Cryptographic Relevance 

We outline now briefly the cryptographic relevance of our results. There is a fam- 
ily of cryptographic public-key schemes based on the intractability of some com- 
putational problems with class groups of imaginary quadratic number fields [8] ; 
we call these cryptographic schemes IQ-schemes. Due to the sparseness of inde- 
pendent computational problems that admit to efficient cryptographic schemes, 
these public-key schemes were introduced as an alternative to existing schemes. 
More precisely: the security of the cryptographic schemes that are used in prac- 
tice is based on the intractability of very few families of independent computa- 
tional problems. Moreover, rigorous and unconditional proofs of the intractabil- 
ity of any of those computational problems are not known. This has repeatedly 
raised concerns about public-key cryptography. It is therefore advisable to have 
some well worked out and independent alternatives available. IQ-cryptography 
provides such an alternative; IQ-schemes are secure (using standard definitions 
and models of security) and efficient (in a practical sense) . 
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The best known algorithm to solve these computational problems is, as al- 
ready mentioned, the IQ-MPQS with the running time asymptotic L[|] . Tradi- 
tional cryptographic schemes are based on the intractability of factoring integers 
or finite field computations, and the best known algorithms to solve these com- 
putational problems are variants of the number field sieve with the running time 
asymptotic L [|] . Thus, it seems that there is a complexity theoretic gap between 
IQ-related computational problems and factoring or finite field related problems. 

Such a gap implies that, with increasing security level, the sizes of crypto- 
graphic parameters (such as RSA moduli, finite field size, discriminants etc.) 
and thus operands in a cryptographic operation (such as computing a signature) 
grow faster for traditional schemes than for IQ schemes. In spite of the more 
complex IQ-arithmetic it follows that IQ-cryptography eventually outperforms 
traditional cryptography. It is clear, though, that IQ-cryptography is eventually 
inferior to elliptic curve cryptography for the same reason. Yet, for the time 
being, IQ cryptography can be, in principle at least, considered as an efficient 
alternative. 

However, the main motivation of IQ-cryptography is not its efficiency. We 
finally mention that due to the fact that the orders of class groups are in gen- 
eral not efficiently computable, IQ-cryptography has applications where elliptic 
curves do not work, see e.g. [5]. 

1.3 Notation 

We use the following common notation 

L x [e,c] = exp (c(loga:) £ (logloga:) 1_£ ) , 

while L[e] is the abbreviation for L x [s,c] for some variable x and some positive 
constant c. 

2 Constructive Obstructions 

In this section we present some obstructions one encounters if one wants to 
design an IQ-NFS along the lines of the genuine NFS. 


2.1 A Brief Review of the NFS Relation Generation 

We begin with a brief review of the relevant details of the NFS relation generation 
for DL computations in finite fields, see [7, 12-15] as well as [2] for all details. Let 
p be a prime and let F p be a finite field. Then let d be a suitably chosen (small) 
integer, take m = \p 1 ^ d \ , and for 0 < i < d let a* be the digits of the base-m 
expansion of p, i.e. let a, be non-zero integers such that p = X)o <i<d a i ni '- Then 
let f(X) be the polynomial with coefficients a* of degree d. Suppose that f(X) 
is irreducible over Z, and let a denote a root of f(X). Since 


f(m) = 0 (mod p) 


(1) 
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the map defined by <j>(a ) m, is a ring homomorphism from Z[a] to F p . Formally 
one is looking at Z [a] -integers of the form 9 = a — ba, of which the norm is 
N(a — ba) = F(a,b), where F(X,Y) is the homogenized bivariate polynomial 
that corresponds to f(X). A Z[a]-integer 9 is understood to be smooth if its 
norm is smooth. The main task in the sieving stage is to find a set of coprime 
integers a and b such that 9 and </>($) are simultaneously smooth. That is, F(a, b) 
and a — bm have to be smooth simultaneously. This is done by taking G(X, Y) = 
F(X, Y)(X — mY) and sieving the bivariate polynomial G(X. Y). 

Based on the bounds on!,y and the coefficients of G, and assuming that 
the values of G(X, Y) behave like random integers with respect to smoothness 
probability, one gets that the running time is proportional to L p [|,c 4 + o(l)], 
where C4 = (64/9) 1 / 3 ; moreover, d = [(3 Inp/ lnlnp) 1 / 3 ] . 

In order to get the favorable running time for the NFS the following items 
are crucial: 

1 . The degree d of / (and thus of G) tends uniformly to infinity as p tends to 
infinity. 

2. The size of the coefficients of G are of order p 1 / d . 

3. There is an efficient way to select a polynomial and thus an extension of Q. 

4. There is an efficiently computable homomorphism from Z[a] to F p . 

5. The sieving is done in the two domains Z[a] and F p simultaneously. 

We will outline below that it is unknown how to achieve any of these items in 
the number field case. 


2.2 A Brief Review of the IQ-MPQS Relation Generation 

Before we proceed we shall briefly review the IQ-MPQS relation generation, see 
[9, 10] for details. Let Oa denotes the quadratic order of discriminant A. The 
objective is to find a set 1Z of relations Ri of the form 

Ri ■■ n ** • ( 2 ) 

Here JAB is the factor base, a set of primitive prime Oa -ideals of the form (p, b) 
where p G B for some bound B. For each prime ideal p 3 = ( Pj,bj ) of FB, let 
bj > 0; the prime ideal p j = ( pj , —bj) will be represented by pj 1 . 

In order to generate a relation, a JAB-smooth C^-ideal is constructed. Let a 
be this ideal with the representation (a, b). The corresponding binary quadratic 
form is A(X, Y) = aX 2 + bXY + cY 2 , where c = (b 2 — A) /4a. Now, if there are 
coprime integers x and y such that ax 2 +bxy+cy 2 = a', then there exists another 
binary quadratic form A'(X,Y) = a! X 2 + b'XY + dY 2 , which is equivalent 
to A, and in fact, the corresponding C^-ideal a' = ( a’,b ') is equivalent to a. 
(The integer b' can be efficiently computed from the integers a, b, c, x, and y.) 
Therefore, aa' -1 ~ Oa, and if a' is JAB-smooth, this constitutes a relation. The 
prime ideal factorization of a / can be obtained from the prime factorization of 
a ' , and from b' and A. 
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In order to find x and y such that A(x, y) = a' is smooth, we sieve the 
quadratic polynomial A(X,Y); for simplicity, fix Y = 1. Then the sieving is 
performed almost exactly as in the MPQS factoring algorithm. Likewise, the 
selection of polynomials is exactly as in the MPQS factoring algorithm, including 
the self initialization technique. 

The sieving step of the IQ-MPQS is, in a remote sense, similar to its coun- 
terpart in the NFS. In both algorithms polynomials are sieved. Yet, none of the 
crucial properties above are satisfied. In particular, the degree of the sieving 
polynomials is fixed, no matter how large A is, the size of the coefficients of the 
quadratic polynomials are of the order of |Zi| 1/,a , and the sieving takes place only 
in one domain. 

2.3 Towards an IQ-NFS 

In this section we try to build an IQ-NFS on top of the IQ-MPQS. We proceed 
rather naively and follow along the lines of the genuine NFS. 

Finding a Suitable Extension and a Homomorphism. First we try to find 
a suitable extension of Oa ■ In the genuine NFS there was a natural way to find 
an irreducible polynomial over Z: we took p and from it computed an integer to 
and coefficients of a polynomial f(x) such that /(m) = 0 (mod p): in particular, 
/(rn) = p, see above. Now, p was the characteristic of the finite field, which is 
a prime. However, in the number field case, the characteristic is always 0. So, it 
remains to be seen what to put in the place of p in the number field case. 

Now, recall that the procedure in the genuine NFS to find a polynomial is not 
only natural because it is very simple and efficient. More important, we get the 
necessary ring-homomorphism from Z[a] to F p , and this homomorphism is very 
efficient to compute. It is this very connection between the polynomial and the 
homomorphism that makes, for instance, the difference between the generalized 
number field sieve (with rather large polynomial coefficients) and the special 
number field sieve (with very small polynomial coefficients). If the coefficients 
in the GNFS could be chosen freely, then there would be no difference between 
the GNFS and the SNFS. However, it is not known how to find a suitable 
homomorphism for arbitrary polynomials, and therefore, the polynomial must 
be chosen as described above. 

The same is certainly true in the number field case, where we have the ad- 
ditional problem of what to put in the place of p. We note, though, that in the 
number field case we are interested in a group-homomorphism instead of a ring- 
homomorphism. For instance, let K = Q(\/ A) and let Ok be the maximal order 
of K; likewise, let L be an extension of K and let Ol be the maximal order of L. 

What we are looking for is a group homomorphism ip that maps Ol to Ok- 
Since a (basic) IQ-NFS algorithm would search for pairs (21, a), where 21 is an 
Ol - ideal and a is an Cfy-ideal, ip must satisfy the following properties: 

1. if 21 is smooth (in a suitable sense), then ^>(21) is smooth; 

2. t/>(2l) ~ a; 

3. ip is efficiently computable. 
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In the face of the fact that 21 and a must be found simultaneously (by sieving 
a polynomial), property 2. in conjunction with property 3. appear to be the 
hardest to satisfy. In fact, it is unknown how one could do that. 

Finding a Polynomial with Small Coefficients. Suppose for the moment 
that we have surmounted the obstructions from the previous subsection. It is 
tempting to ask what one would get out of the algorithm, i.e. what would be its 
asymptotic expected running time. Following the design of the genuine NFS, we 
proceed naively in the following way: 

1. Choose a suitable integer d. 

2. Choose an extension over K, i.e. choose a polynomial f(X) £ Ok[X] such 
that 

f(X ) = a d X d + a d ^X d ~ l + a 0 , (3) 

where a* = ai+biVA. Let |aj|, |fy| < B, where B is a bound, e.g. B = |Z\| 1 / d 
(recall that we just proceed naively as in the genuine NFS). 

3. For the sieving we need a polynomial over Z. In order to get such a poly- 
nomial fz(X) from f(X), rewrite f(X) = a(X) + b(X)V~A and let f(X) = 
a(X)—b(X)\/A be the conjugate polynomial. Now let f z (X) = f(X)f(X) = 
a 2 (X) — b 2 {X)A. Note that since we are dealing with imaginary quadratic 
number fields, A < 0 and thus fz(X) = a 2 (X) + b 2 (X)\A\. Now it becomes 
apparent that fz(X ) has coefficients of the order of |Z\| 1+2 / d , which turns 
out to be too large in order to get the L[|] running time asymptotics, see 
below. 

4. Finally, let F Z (X,Y) be the homogenized form of fz/{X). (We presume that 
a smooth value for F Z (X. Y) would in some way give rise to a smooth Cfy- 
ideal.) Let A(X, Y) be the binary quadratic form that corresponds to an 
0^-ideal a, take G(X,Y) = F Z (X,Y)A(X,Y) and sieve G(X, Y) for pairs 
( x,y ) such that G(x,y ) is smooth. Since the coefficients of F z are of size 
0(\A\B 2 ) = 0(|Zl| 1+2 / d ) and the coefficients of A are of size 0{\A\ X ^ 2 ), the 
coefficients of G are of size 0(|Z\| 3 / 2+2 / d ). 

For the running time analysis we use the following principle from [2, Section 10]: 
Let L{Z) = exp (v/ln Z In In Z). In a sequence of L(Z)^ 2+ °^ random integers 
uniformly chosen from the interval [0 ,Z\ S = L(Z)G'G+o(i) 0 j |j lern w jH be 
.S'-smooth, and this is the optimal choice for S in order to maximize the yield. 

We apply this principle to the sequence of integers that we get from G(X, Y) 
for X and Y ranging over certain intervals; here we assume that the inte- 
gers G(X,Y) have the same properties as ordinary integers with respect to 
smoothness-probability (this constitutes, as usual, the major heuristic leap in 
the running time analysis). 

We have Z = \G(X ,Y')\, and since we sieve two-dimensionally, as in the 
genuine NFS, we have |Jf|, |Y| ^ M where M = L(Z) 1 ^'^ 2+ °^ 1 \ Now we are in 
the position to perform a running time analysis as in [2], see also [4, Section 
6.2.3]. 
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— If d is fixed as A — > oo, then we get an asymptotic running time proportional 
to L\ A | [3,3 + | + o(l)]. 

— If d — > 00 as \A\ 00, then we get an asymptotic running time proportional 

to L\ A 1 [5, y/3 + o(l)]. 

This means that the IQ-NFS (designed as above) performs in any case much 
worse than the IQ-MPQS. Now, fz as chosen above may not be the optimal 
polynomial for L. One could, for example, use lattice reduction methods to get 
a polynomial fz with smaller coefficients, see for example Algorithm POLRED 
in [3, Algorithm 4.4.1]. However, the coefficients of such a polynomial will not 
be arbitrary small, and even if fz had coefficients of order 0(|Z\| 1 / 2+2 / d ) (which 
constitutes a substantial improvement), then the asymptotic running times got 
merely down to + | + o(l)] and L\ A \[^,\/2 + o(l)] , which is still 

worse than the IQ-MPQS. We will elaborate the effectiveness of polynomial 
reduction algorithms applied to our problem in the full version of the paper. 
Finally, changing the polynomial also changes the basis for element and ideal 
representation in L, and thus, this changes the homomorphism; that might be a 
major problem. 

In order to get the typical NFS asymptotic L[|] , the coefficients of G(X, Y ) 
must have order of magnitude \A\ 0( ' 1 ^ d \ Since the coefficients of A(X, Y) usu- 
ally have order of magnitude |zX| 1//2 we must alter the design of the IQ-NFS. 
Let F z ,i(X,Y) and F 7/jA {X,Y) irreducible polynomials with the desired prop- 
erties, let Li and L 2 be the corresponding extension fields, let G(X,Y) = 
Fzj (X,Y)Fz,%(X,Y), and let ipi and if 2 be ideal-homomorphisms that map 
Oij-ideals and 0/„ 2 - ideals to C^-ideals. Now we require that if a smooth 0 7j1 - 
ideal Ql± and a smooth Ol 2 - ideal 2Q are found simultaneously by sieving G(X. 
Y), then ^i(2ti) and $2(212) are also smooth and Vh(2 b) ~ V^^Q). Still, it 
remains to be seen how Fz, 1 and Fz, 2 as well as , </-’i(S!fi) and if 2 (0l 2 ) are to be 
chosen. 

Summary. The major stumbling blocks on the way towards an IQ-NFS are 
firstly to find suitable extensions of imaginary quadratic number fields, which 
provide suitable ideal-homomorphisms. It is unknown how to find such exten- 
sions. Secondly, by the nature of sieving algorithms, the extensions are to be 
represented as irreducible polynomials over Z. It is unknown how to find suitable 
irreducible polynomials with sufficiently small coefficients. The first obstruction 
says that it is not known how to design core elements of the IQ-NFS, and the 
second obstruction says that even so it is still unknown how the IQ-NFS will be 
of any use. 

3 Relative Obstructions 

In this section we will attempt to provide a connection between the aforemen- 
tioned problems and those that arise in the case of elliptic curves and hyperel- 
liptic curves. We begin by stating the following definition. 

Definition 1 . The Discrete Logarithm Problem in Q is: given 7,7' € Q ■ find 
the smallest n € Z>o such that 7" = 7' if such an integer exists. 
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If the group under consideration corresponds to the points on an elliptic 
curve, we call this the Elliptic Curve Discrete Logarithm Problem, and abbre- 
viate it by ECDLP. Analogously, if the groups corresponds to the Jacobian of 
a hyperelliptic curve, we call this the Hyperelliptic Curve Discrete Logarithm 
Problem and denote it by HCDLP. Since an elliptic curve is just a hyperelliptic 
curve of genus one, we note that the ECDLP is just a particular instance of the 
HCDLP. 

The majority of this section will describe how to take an instance of the 
ECDLP and convert it to an instance of an HCDLP for a curve of higher genus. 
That is, we will prescribe a technique for constructing a cover of an elliptic curve 
by a hyperelliptic curve of larger genus that forces an inclusion from the elliptic 
curve into the Jacobian of the hyperelliptic curve. While this is apparently a well 
known result, we include some details since they appear to be lacking from the 
literature. 

We conclude the section by discussing how the existence of this map relates to 
the overall complexity of solving the ECDLP. We will also discuss how finding an 
algorithm of lower subexponential complexity for the HCDLP seems intrinsically 
linked to solving the analogous problem for imaginary quadratic number fields. 

3.1 Jacobians of Hyperelliptic (and Elliptic) Curves 

In the remaining sections, let K denote an arbitrary field. We will mostly be 
interested in the case when K = F g , but the majority of what follows applies 
to arbitrary fields. For our purposes, it suffices to define a hyperelliptic curve of 
genus g to be a curve given by an equation of the following form: 

C : y 2 + h(x)y = f(x) 

where h, f G K[x] are such that deg h < g and deg / = 2g + 1 or 2g + 2 with / 
monic. Furthermore, no element in K x K may simultaneously satisfy 

y 2 + hy - f = 0 , 2y + h = 0 , h'y - f = 0 . 

These last criteria force the curve to have a smooth affine model, which simply 
makes calculations more palatable (and the statement about the genus correct). 
Every hyperelliptic curve inherently admits such a model, so this by no means 
limits our discussion. Furthermore, if the characteristic of K is not 2, we will 
always take h = 0 (this is possible by completing the square on the left hand 
side). A hyperelliptic curve of genus one is an elliptic curve. The function field 
of C is defined to be 


K(C)^K(x)[y\/(y 2 + hy-f) . 

Each element of the function field can be thought of as a map from C to Ku{oo} 
(otherwise denoted as P^-). 

We now give a brief overview of the Jacobian of a hyperelliptic curve. For 
more complete details, see the appendix in [11]. A divisor on C is a formal sum 
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of points D = rripP where mp = 0 for all but finitely many points of C. 
The degree of a divisor is deg D = XI rn p. The set of all divisors on C forms a 
group and is denoted Div(C). The subset of all divisors of degree zero is a proper 
subgroup and is denoted Div 0 (C). 

We wish to consider the quotient of Div°(C') by the following subgroup. For 
any function 7 £ K(C), we may associate a divisor to 7 by (7) = rripP where 
trip = ord p (7) is the order of the zero or pole of 7 at P. Such divisors are said 
to be principal divisors. The set of all principal divisors is denoted by V{C). 
V(C) is a subgroup of Div°((7) because every principal divisor has degree zero, 
although this is by no means obvious from the above definitions. 

The group that we are interested in is called the Picard group of C (in fact, 
we are interested in the degree zero part of the Picard group, but we will abuse 
the language slightly). The group is defined to be 

Pic°(C) = Div° (£7) /'P(C') . 

Pk:°(C') contains all of the arithmetic information about the Jacobian of C that 
we need. If we have a tower of fields, K C L C K, then Gl = Gal(K, K) has 
a natural action on Pic°(C'j induced by its action on V{C) and Div°((7) (which 
conveniently agree). The fixed group under this action is denoted by Pic p (C'). 
Obviously, we will be most interested in the case when L = K. 

While the above construction of Pic°((7) is mathematically rigorous, it is 
somewhat lacking from a computational perspective. We will not cover the details 
of how to perform arithmetic, but instead refer the reader to the appendix in 
[11] again. The second computational problem that arises is how to represent 
elements in this group. For each element in Pic°(C), it is possible to associate to 
it a unique divisor in Div°((7). These unique divisors are called reduced divisors. 
The arithmetic and presentation in Pic°(C) are performed using these reduced 
divisors. 

3.2 Including Elliptic Curves into Jacobians of Hyperelliptic Curves 

We begin with a definition to facilitate in constructing the desired cover of our 
elliptic curve. Let p denote the characteristic of the field K. For an integer n, we 
will write n = ni • p np where n\ is an integer that satisfies gcd(n-i , p) = 1, and 
rip ^ 0 (in characteristic zero, one takes ni = n, n p = 0). Let p p (x) denote the 
Artin-Schreier character, i.e. p p (a;) = x p — x. Define the polynomial 

C n (x) = p p (x) onp ° x ni . 

Theorem 1. Let E be an elliptic curve given by 

E :y 2 + hy = f , deg / = 3 , deg h < 1 . 

If in characteristic 2, h( 0) / 0 or in characteristic different from 2, /( 0) ^ 0, 
then there exists a hyperelliptic curve C n of genus \n + given by 

C n :y 2 + h{€ n {x))y = /(£„(*)) , 
an n-to - 1 cover of E. 


such that C n it 
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The restrictions on h( 0) and /( 0) ensure that the resulting model for C n 
is smooth. The smoothness of this model is a consequence of combining the 
definition of smoothness given above and noting that the polynomial given by 
£ n (x) — a for any 0/aeK has no repeated roots. The genus follows trivially 
from the definition given above for a hyperelliptic curve. 

Considering an elliptic curve over K, it is possible to transform it into a 
curve of this form by using the substitution x >->■ x + a for some a E K satisfying 
h(a) 7 ^ 0 in characteristic 2, or f(a) ^ 0 otherwise. The only elliptic curve for 
which finding such an a is not possible is the curve 

E : y 3 = x(x — l)(x — 2) 

defined over F 3 . By extending the ground field, the above substitution could 
then be used. However, this curve is of no interest for the problem we wish to 
solve, so the above theorem applies to all cryptographically interesting elliptic 
curves. 

The map from C n to E is given as follows. 

E n :C n ^E 
(a,P)^(€ n (a),P) , 

and the point (s) at infinity on C n map to the unique point at infinity on 
E. This is clearly a well-defined algebraic map of curves, and for most points, 
there are precisely n distinct pre-images under E since £ n (x) — a has degree n. 
Therefore, C n is an n-to-1 cover of E via E n . 

Given any two curves and a map between them, there is an induced map on 
the Jacobians of the two curves. We can use the map E n defined above to do 
precisely this. We proceed by constructing a map between the respective divisor 
class groups 

E* : Div°(£0 Div°(C„) . 

We define the map as follows. Let P = (a, f3) be a finite point on E, and let on 
denote the n roots of <£ n (x) — a (each with appropriate multiplicity). If n is odd, 
then 

K'-P- Poo ^ 

where P^ represents the unique point at infinity on the two respective curves. 
If n is even, 

n-p-Poo 1 + P °°J 

where P, ' x is the unique point at infinity on E, and P 00l and P 002 are the two 
points at infinity on C n . Since E* includes P{E) into V(C), it induces a map on 
the Picard groups, called the conorm map: 

Con Cn/E : Pic °(E) Pic 0 (<7„) . 
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It is precisely this map that we will use to translate an ECDLP into an HCDLP 
for a curve of higher genus. 

Theorem 2. If E and C n are as specified in theorem 1, then the induced map 
Con Cn/E : Pic ° L (E) -4 Pic ° (C n ) 
is injective for all n and any K C L C K. 

By first proving the result over the algebraic closure, K, the theorem follows 
for all intermediary subfields by restriction. In our case, we are really only inter- 
ested in the case of L = K. For the case when n is odd, it is simple enough to 
show that the image under \L* of a divisor on E of the form P — P^, where P 
is any finite point, is a non-trivial reduced divisor in Div°(C' n j. This is sufficient 
to conclude that the map in injective. If n is even, one proves the injectivity of 
the map by constructing a secondary hyperelliptic curve which is isomorphic to 
C n , but has only one point at infinity. 

Since this map is injective, it is clear that given an ECDLP for E, we can 
translate it into an HCDLP for C n . This map is effective and quite easy to 
compute using . If n is odd and we are using the standard representations for 
divisors on C n , the map is given by 

(a,0) i-> div(£„(:r) - ot,0) . 


3.3 Relating the Complexity of the ECDLP and HCDLP 

Although C n can be used to convert an ECDLP into an HCDLP, this does 
not necessarily help us solve the problem more efficiently. In fact, with the cur- 
rent algorithms for solving instances of HCDLP’s, this amounts to taking a 
hard problem and making it harder. However, in this section, we consider the 
ramifications of the development of an algorithm to solve the HCDLP that is 
considerably more efficient than the algorithms that currently exist. 

We start by noting that for a hyperelliptic curve of genus g over F g , the size 
of Pic^(C) is roughly q 9 . 

Theorem 3. If there exists an algorithm to solve the HCDLP with running 
time L q g [ a , f3 + o(l)] with a <1/2 for g ~ log q, as q -4 oo, then there exists an 
algorithm to solve the ECDLP in time L q [a' ,j3' + o(l)] with a' < 1 and (3' ^ 0 
as q -4 oo. 

Proof. Given an elliptic curve E over ¥ q , set n = |~ | log q] . By using Con c n /E 
and C n which has genus g > log q, we can solve the HCDLP in Pic°((7 n ) in time 
L qa [a, /3 + o( 1)] . Letting 7 be such that g = 7 log q, then we have 

(/3 + o( 1 ) ) (log q 9 ) “ (log log q 9 ) 1 -** = (/? + o(l))(logg) 2 a 7 “(log 7 + 21oglogg') 1_ “ . 


Ignoring the coefficients for a moment, we may rewrite the right hand side as 


(log q) 2a+e (log log q ) 1 (2a+e) 


(log 7 + 2 log log q ) 1 a 
(log log q) C“+ e ) (log q) e 
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for any e > 0. As q — > oo, the fractional term tends to 0 (since 7 — > 1), and 
hence we have that 

(log q 9 ) “ (log log g ® ) 1 “ “ > (log 9 ) 2 a+e (loglogg) 1_(2 “ +e) . 


Therefore, an upperbound for the running time is given by L q [2a + e, 0'] , for any 
positive fixed e > 0, and any /3 1 > 0 (although clearly both affect the constants 
involved in the big O-notation). If a < 1/2, we can clearly choose e > 0 such 
that 2a + e < 1, which proves the desired result. 

Theorem 4. If there exists an algorithm to solve the HCDLP in time L qg [a, 0+ 
o(l)] with a = 1/2 for g ~ (log q) s and 5 < 1, as q 00 , then there exists an 
algorithm to solve the ECDLP in time L q [a! ,0' + o(l)] with a! < 1 and 0' ^ 0 
as q — > 00 . 

Proof. We proceed as above, but this time we choose n = [|(log g) 5 ]. As before, 
we map to Pic°(C n ), where we can solve the HCDLP in time L q9 [a,/3 + o(l)]. 
Letting 7 be such that g = 7 / log q) s , then after substituting for g we note 

(/? + o(l)) (logg®) a (loglog? fl, ) 1_ “ = (0+ o(l)) (logg) ( 1 +, 5 )a 7 a 


(log 7 + (1 + 5) log log q) 
Again ignoring the coefficients, 


(log g ) (1 


-« (W log a) (log7 + (l + ^) log log g) 

1 g g q) (log log q) 1 — (( (log q y 


for any e > 0. We now note that a 
we have that 


> 00 , the fractional term tends to 0. Hence 


(log q 9 ) “ (log log q 9 ) 1 a > (logg^+^+^loglogi ?) 1 (( 1 +' 5 ) a + e ) . 

This implies the running time is bounded above by L q [(1 + <5)ajjis^ 0' + o(l)] for 
any e > 0 and 0' 0 0. This time we note that if S < 1, and since a = 1/2, we 
can choose e so that (1 + <5)a + e < 1. 

It should not be construed that either of these two results imply the existence 
of a subexponential algorithm for the ECDLP. Examining them more deeply, 
they in fact suggest that our current index calculus approaches for solving the 
HCDLP are incapable of yielding algorithms with a running time in the range 
required for either theorem. To derive this conclusion we note that while the 
current algorithms for solving an instance of an HCDLP on a curve of genus g 
over F q utilize factor bases which are subexponential in terms of q g , they are 
exponential in terms of q. Hence, using such algorithms to solve an instance of 
the ECDLP by embedding it in the Jacobian of a hyperelliptic curve can not 
result in a subexponential algorithm. This does not exclude the possibility of 
such techniques being effective in constructing an exponential algorithm which 
has a better run-time than Pollard-rho. 

Using the same techniques as above, we can make the following somewhat 
perverse observation. 
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Theorem 5. If there exists a subexponential algorithm for hyperelliptic curves 
of genus 2, then there exists a subexponential algorithm for elliptic curves. 

The proof follows as above using n = 2 (in fact, the previous theorem is 
also true with 2 replaced by any other fixed genus that may be written in the 
form [n + ^^J). It is important to note that the resulting algorithm would 
have worse overall complexity and the size of the elliptic curve for which the 
asymptotics would assert themselves is undoubtedly very large, but it would 
still be subexponential. The conundrum that arises from this observation is that 
the converse statement is not necessarily true. 


3.4 The Analogue between HCDLP and IQDLP 


While solving the HCDLP and IQDLP problems appear to be linked only super- 
ficially since they are both discrete logarithm problems, the connection between 
them runs much deeper. If we consider the original algorithm developed by [1] 
to solve the HCDLP in high genus hyperelliptic curves, it has the same funda- 
mental structure as the IQ-MPQS. That is, they both find relations by searching 
for elements with smooth norms in certain quadratic extensions. If we restrict 
our attention to the case of imaginary hyperelliptic curves (when the degree of 
/ is odd), then we have the following diagram can be used to demonstrate the 
connection. 


Ka 


O a 



Q 




K[x] 


In particular, solving the HCDLP in Pic^fC) is equivalent to solving the 
same problem in the ideal class group of K[C]. Fundamentally, both the HCDLP 
and class group computations in imaginary quadratic orders are equivalent to 
solving the discrete logarithm problem in ideal class groups of a quadratic exten- 
sion. Indeed, if we consider the algorithm presented in [6], it can be considered to 
solve the problem in both situations. Although there are some subtle differences 
that arise in the analysis of the complexity, they do not serve to effect the the 
exponent a which has the greatest impact on the asymptotic run-time. 

The problem that prevents the development of a suitable IQ-NFS is the same 
problem that prevents the development of a better algorithm to solve HCDLP’s. 
Namely, how does one find an extension of a quadratic extension which yields 
suitable ideal-homomorphisms. Considering the strong analogy between the two 
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situations, it seems plausible that finding a solution in one of the two settings 
could easily be extended to the other. 

4 Conclusion 

We have presented some indication that the techniques of the number fields sieve 
may not be applicable to computations in imaginary quadratic number fields in 
a profitable way. In particular, it is unknown how to design fundamental core 
elements of an IQ-NFS algorithm, and even if this were known, it would not 
be clear whether or how such an algorithm could be useful (i.e. profitable). 
Moreover, we gave an outline how the existence of an IQ-NFS with the running 
time asymptotics £[|] could conceivably be used to develop an algorithm to 
solve elliptic curve related computational problems with subexponential running 
time. It is worthwhile to point out that the analogy between these two settings 
is not restricted to algorithms of index-calculus type. It follows for example that 
if there is no subexponential algorithm to solve the ECDLP, then it is likely that 
L\ A \ [|, c + o(l)] is the best achievable running time for the IQDLP. 

As pointed out in the introduction, due to the somewhat speculative nature 
of this article, it is to be understood as a starting point for further research. 
For example, it would be interesting to establish rigorously the computational 
equivalence of the discrete logarithm problems for number field and function 
field class groups. 

References 

1. Adleman, L. M., DeMarrais, J., and Huang, M.-D. A subexponential algo- 
rithm for discrete logarithms over hyperelliptic curves of large genus over GF(g). 
Theoretical Computer Science 226, 1-2 (1999), 7-18. 

2. Buhler, J. P., Lenstra, Jr., H. W., and Pomerance, C. Factoring integers 
with the number field sieve. In The development of the number field sieve, A. K. 
Lenstra and H. W. Lenstra, Eds., no. 1554 in LNM. Springer- Verlag, 1993, pp. 50- 
94. 

3. Cohen, H. A Course in Computational Algebraic Number Theory, vol. 138 of 
GTM. Springer-Verlag, 1995. 

4. Crandall, R., and Pomerance, C. Prime Numbers: A Computational Perspec- 
tive. Springer-Verlag, 2000. 

5. Damgard, I., AND FUJISAKI, E. A statistically-hiding integer commitment scheme 
based on groups with hidden order. In Advances in Cryptology - ASIACRYPT 2002 
(2002), Y. Zheng, Ed., vol. 2501 of LNCS, Springer-Verlag, pp. 125-142. 

6. Enge, A., and Gaudry, P. A. A general framework for subexponential discrete 
logarithm algorithms. Acta Arithmetica 102, 1 (2002), 83-103. 

7. Gordon, D. M. Discrete logarithms in gf(p) using the number field sieve. SIAM 
Journal of Discrete Mathematics 6, 1 (1993), 124-138. 

8. Hamdy, S. IQ cryptography: A secure and efficient alternative. Journal of Cryp- 
tology (2003). Submitted. 

9. Jacobson, Jr., M. J. Applying sieving to the computation of quadratic class 
groups. Mathematics of Computation 68, 226 (1999), 859-867. 



On Class Group Computations Using the Number Field Sieve 325 


10. Jacobson, Jr., M. J. Subexponential Class Group Computation in Quadratic 
Orders. PhD thesis, Technische Universitat Darmstadt, Fachbereich Informatik, 
Darmstadt, Germany, 1999. 

11. Koblitz, N. Algebraic Aspects of Cryptography, vol. 3 of Algorithms and Compu- 
tation in Mathematics. Springer-Verlag, 1998. 

12. S chirokauer, O. Discrete logarithms and local units. Philosophical Transactions 
of the Royal Society of London, Series A. 345, 1676 (1993), 409-423. 

13. S chirokauer, O. Using number fields to compute logarithms in finite fields. 
Mathematics of Computation 69, 231 (2000), 1267-1283. 

14. S chirokauer, O., Weber, D., and Denny, T. Discrete logarithms: The effec- 
tiveness of the index calculus method. In Algorithmic Number Theory, ANTS-II 
(1996), H. Cohen, Ed., vol. 1122 of LNCS, Springer-Verlag, pp. 337-361. 

15. Weber, D. Computing discrete logarithms with the general number field sieve. In 
Algorithmic Number Theory, ANTS-II (1996), H. Cohen, Ed., vol. 1122 of LNCS, 
Springer-Verlag, pp. 391-403. 



The Secret and Beauty of Ancient Chinese Padlocks 


Hong-Sen Yan 1 and Hsing-Hui Huang 2 

1 National Science and Technology Museum, Director General 
720 Chiu-Ju 1st Road, Kaohsiung 807, Taiwan 
hsyan@mail . ncku . edu . tw 
http:// www . acmcf . org . tw 
2 Department of Mechanical Engineering , Graduate student 
National Cheng Kung University, 1 Ta-Hsueh Road, Tainan 701, Taiwan 
sanly . huang@msa . hinet . net 


Abstract. Most ancient Chinese padlocks are key-operated locks with splitting 
springs, and partially keyless letter-combination locks. They can be character- 
ized based on the types of locks, the shapes of locks, the engravings of locks, 
the materials of locks, and the mechanisms of locks. Some locks and keys are 
not only very beautiful and artistic colorful, but also with various designs. As a 
result, a splitting spring padlock is an asymmetric key cryptosystem, and a 
combination padlock is a symmetric key cryptosystem. 


1 Introduction 

The development of locks arises psychologically from practical needs on safety for 
individuals, for groups, or for individuals within groups. Though with a long history, 
the related documents and perseverance of ancient Chinese locks are quite insuffi- 
cient. And for their hardly noticeable nature in China, very few curio collectors set 
their eyes on locks, and very few scholars focused their study on locks [1,2], 

The history of Chinese locks is in close association with the materials, tools, and 
cultural background of a specific time. The development and applications of locks in 
the past reflected the technological, cultural, and economical situations of each period 
in the history. Ever since the late Eastern Han Dynasty, metal splitting spring pad- 
locks had always been the most widely used locks by Chinese people. Though the 
shapes of ancient Chinese locks diversified, the inner structures have not changed 
much for the past two thousand years. And, Chinese locks faded gradually after the 
western pin-tumbler cylinder locks were introduced into the country in the 1940s. 

This article addresses the beauty and the mechanisms of Chinese padlocks, and re- 
lates the opening systems of Chinese locks with cryptosystems. 

2 Characteristics 

Ancient Chinese locks are mechanical padlocks, mostly key-operated bronze locks 
with splitting springs and partially keyless letter-combination locks. The major fea- 
tures of ancient locks are the types of locks, the shapes of locks, the engravings of 
locks, the materials of locks, and the mechanisms of locks [3, 4], 

C.S. Laih (Ed.): ASIACRYPT 2003, LNCS 2894, pp. 326-330, 2003. 
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2.1 Types of Locks 

Ancient Chinese padlocks can be classified into the splitting spring locks and the 
letter-combination locks. A splitting spring padlock has to use a key for opening, and 
it has the types of broad locks and pattern locks. And, a letter-combination padlock 
has no keys for opening. 


2.2 Shapes of Locks 

Broad locks are kinds of horizontal positioned locks, Figure 1(a). The front side is of 
the shape of the character "El", and mostly made of bronze. Pattern locks come in 
many different shapes, Figure 1(b). They can be roughly classified into the types of 
human figures, animals, musical instruments, letters, utensils, and others. Combina- 
tion locks usually have three to seven wheels, Figure 1(c). They are of the horizontal 
round-pillar shape with several tunable wheels of the same size set in array on the 
central axis of the pillar body. Each wheel has the same amount of carved letters. 



(a) Broad locks (b) Pattern locks (c) Combination locks 

Fig. 1 . Types and shapes of Chinese locks 


2.3 Engraving of Locks 

Engraving on the body surface of Chinese locks can be classified into two types: the 
etching and the engraving. Patterns commonly employed are lucky objects, human 
figures, Chinese characters, landscapes, flowers, plants, and others. All these revealed 
hidden handicraft skills and great beauty in an object of such utility. 


2.4 Materials of Locks 

According to the development of various materials in various periods, ancient Chi- 
nese locks were made of wood, bronze, brass, red bronze, Cupro nickel, iron, silver, 
gold, steel, aluminum, and nickel. The early broad locks found were mostly made of 
bronze; later the brass was the most popular, followed by iron. 
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3 Mechanisms 

A splitting spring padlock consists of a lock-body, a sliding bolt, and a key, Fig- 
ure 2(a). The lock-body provides a keyhole for the key to insert and the supporting 
guide for the sliding bolt to move. The sliding bolt has a shackle for hanging the lock 
and a stem for bonding one end of the splitting springs. The key is designed corre- 
sponding to the configuration of the splitting springs, and the location and shape of 
the keyhole. When it is locked, the sliding bolt is trapped by the opening springs 
against the inner wall of the lock-body. For opening, the key is inserted and its head 
squeezes the opening springs so that the sliding bolt can be separated from the lock- 
body. 


1 11 

m 


H 



A combination padlock comprises of the lock-body, rotating wheels, and the slid- 
ing bolt with a shackle and a stem, Figure 2(b). The lock-body contains an end plate 
and an axis with rotating wheels for guiding the movement of the sliding bolt. The 
sliding bolt also has an end plate for bonding both the shackle to hang the lock and 
the stem with several convex (ft)- shaped blocks. Every rotating wheel is of the same 
size. Usually four letters are engraved on the surface. And, there is a concave (G3)- 
shaped chute that corresponds with each convex-shaped block on the stem. When 
unlocking the lock, one has to rotate the letters on each wheel into the correct order 
and position. When all the concave-shaped chutes face upward, a channel is formed 
that allows the stem with convex-shaped blocks to slide apart from the lock-body. 
The lock is then opened. 
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4 Cryptosystems 

A Chinese splitting spring padlock has the following features: 

1 . The opening key is designed to have the right shape of keyhead to be inserted 
through the designed shape of the keyhole and to squeeze the designed 
configuration of the splitting springs to open the lock. 

2. It does not need the opening key to fasten the lock. 

3. In general, a key is designed for a specific lock. However, sometimes a key can 
open more than one lock. 

Therefore, a splitting spring padlock is an asymmetric key cryptosystem. 

Furthermore, a Chinese combination padlock is a symmetric key cryptosystem. 
When the letters (ciphers) of all wheels are rotated into the right sequence, it is 
unlocked; otherwise, it is locked. 

4.1 Basic Components 

The mechanism of an ancient Chinese padlock has three basic components*a fasten- 
ing device, an opening device, and an obstacle. 

Chinese padlocks usually use a sliding or rotary bolt as the fasten component. Most 
Chinese padlocks used splitting springs as the obstacle to discriminate and obstruct 
the wrong opening devices. In general, there are two types of obstacles. On is the fix 
obstacle, such as the special keyholes or keyways to prevent the invasion of foreign 
keys to open (decrypt) the locks. And, the other can be moved by the inserting keys to 
strengthen the encryption of the locks, and also to screen the wrong keys that break 
the first layer of security - keyholes and keyways. The opening device is used to over- 
come the obstacle component and can be a key or a secret code. 

4.2 Encrypt and Decrypt 

Although the coding of locks always refers to the matching design of locks and keys, 
it can also fit on the operation of locks. Figure 3 shows the relationship of the fasten- 
ing device, the opening device, and the obstacle component that construct the opera- 
tion of a lock. The opening of a Chinese lock can be taken as the key of a splitting 
spring padlock or the cipher of a combination padlock. When fastening the lock, the 
opening device should be discriminated by the obstacle to ensure the validity and 
encrypt the lock. If the opening device is wrong, the correct one should be renewed 
for preceding the encoding of the lock. Once the obstacle is overcome, the fastening 
device is released and the lock is in the fastening condition. 

5 Conclusions 

Although locks have been used around our daily lives in the past thousands of years, 
the development and characteristics of ancient Chinese locks not only have been 
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almost unknown to the world but also have not been fully investigated. This paper 
presents the secret and beauty of ancient Chinese padlocks based on authors’ study 
and collection in the past years [5], Ancient Chinese locks are mostly key-operated 
bronze padlocks with splitting springs and partially letter-combination padlocks. 
Chinese padlocks can be characterized based on the mechanism of locks, the shape of 
locks, the type of keyways, the shape of keyways, the type of keys, the shape of key- 
heads, the insertion of keys, and the materials of locks. A splitting spring padlock is 
an asymmetric key cryptosystem, since it has to use a key for opening and it does not 
need the opening key to close the lock. A Chinese combination padlock is a symmet- 
ric key cryptosystem. When the letters of all wheels are rotated into the right posi- 
tions, it is unlocked; otherwise, it is locked. It is hope that this article will induce 
further research interest to relate ancient Chinese locks and modern cryptosystems. 



Fig. 3. Cryptosystem of Chinese locks 
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Abstract. In this paper 1 we propose a new symmetric block cipher with 
the following paradoxical traceability properties: it is computationally 
easy to derive many equivalent secret keys providing distinct descrip- 
tions of the same instance of the block cipher. But it is computationally 
difficult, given one or even up to k equivalent keys, to recover the so 
called meta-key from which they were derived, or to find any additional 
equivalent key, or more generally to forge any new untraceable descrip- 
tion of the same instance of the block cipher. Therefore, if each legitimate 
user of a digital content distribution system based on encrypted infor- 
mation broadcast (e.g. scrambled pay TV, distribution over the Internet 
of multimedia content, etc.) is provided with one of the equivalent keys, 
he can use this personal key to decrypt the content. But it is conjectured 
infeasible for coalitions of up to k traitors to mix their legitimate per- 
sonal keys into untraceable keys they might redistribute anonymously 
to pirate decoders. Thus, the proposed block cipher inherently provides 
an efficient traitor tracing scheme [4]. The new algorithm can be de- 
scribed as an iterative block cipher belonging to the class of multivariate 
schemes. It has advantages in terms of performance over existing traitor 
tracing schemes and furthermore, it allows to restrict overheads to one 
single block (i.e. typically 80 to 160 bits) per encrypted content payload. 
Its strength relies upon the difficulty of the “Isomorphism of Polynomi- 
als” problem [17], which has been extensively investigated over the past 
years. An initial security analysis is supplied. 

Keywords: traitor tracing, block ciphers, Matsumoto-Imai, multivariate 
cryptology, symmetric cryptology, collusion resistance. 


1 Introduction 

One of the most employed digital content distribution methods consists in broad- 
casting encrypted information. Applications include pay TV systems, server- 
based services for the distribution of pre-encrypted music, videos, documents or 
programs over the Internet, distribution of digital media such as CDs or DVDs, 
and more generally, conditional access systems. In content distribution systems 
broadcasting encrypted information, each user is equipped with a “decryption 

1 This paper was submited to the Asiacrypt 2003 conference. 

C.S. Laih (Ed.): ASIACRYPT 2003, LNCS 2894, pp. 331-346, 2003. 
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box” which may be a smart card combined with an unscrambling device as in 
several existing pay TV systems, or even of software on a personal computer. 
The decryption box of each legitimate user is provided with a decryption key, 
allowing him to recover the plaintext content from the broadcast information 
during some validity period or for a given subset of the content. The delivery 
and update of decryption keys may be performed using various key distribution 
methods and is generally subject to the payment of subscriptions, digital right 
management licenses, etc. 

The following security problem arises in this setting: if any legitimate user 
manages to recover the decryption key contained in his decryption box or to 
duplicate the keyed decryption software, then he can redistribute it to illegiti- 
mate users, allowing them to get the plain content as the legitimate users, with- 
out having to pay any subscription, digital right management license, etc. This 
quite often represents a much more serious threat than the redistribution of the 
plaintext content, which is so far not considered very practical in contexts like 
pay-TV. The use of tamper resistant devices (e.g. smart cards) to store decryp- 
tion keys and associated algorithm(s) obviously helps protecting these systems, 
but can hardly be considered a sufficient countermeasure to entirely prevent 
this kind of attacks. Over the past years, more and more sophisticated attacks 
against tamper resistant devices have emerged — e.g. side-channel attacks, see 
for instance [12]. Because attacking a single decryption box may lead to mas- 
sive fraud, attackers can afford using sophisticated and expensive attacks, so 
that countermeasures proposed in other contexts will often be ineffective for 
encrypted content broadcast systems. 

Traitor tracing provides a natural countermeasure to prevent the decryp- 
tion key redistribution threat described above. The concept of traitor tracing 
scheme was first introduced by B. Chor, A. Fiat and M. Naor in the seminal 
paper [4] and we use as far as possible the same terminology to describe the pro- 
posed scheme. In traitor tracing schemes, each legitimate user is provided with 
a unique personal decryption key which unambiguously identifies him, while en- 
abling him to decrypt the broadcast information. The system must accommodate 
a large number N of users and it must be infeasible for any coalition of up to k 
legitimate users to mix their personal keys into a new untraceable description of 
the decryption key. Most of the traitor tracing schemes proposed so far, e.g. those 
described in [4], [14] and [18] are combinatorial in nature. Each legitimate user 
is provided with several base keys, which together form his personal key and 
the broadcast information contains large overheads of encrypted values under 
some of the base keys, allowing legitimate users to recover a content decryption 
key. A non-combinatorial alternative, namely a public key encryption scheme in 
which there is one public encryption key but many private decryption keys, was 
proposed by D. Boneh and M. Franklin in [3]. It has the advantage to avoid large 
overheads and to have very small decryption keys. However, the performance of 
this scheme is extremely sensitive to the maximum number k of tolerated col- 
luding traitors, since the data expansion factor of the public key encryption is 
proportional to k. 
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The approach developed in this paper is non combinatorial in nature and 
has stronger connection with the one developed in [3] than with combinatorial 
schemes, up to the essential difference that we construct an untraceable symmet- 
ric cipher rather than an untraceable asymmetric cipher. The proposed cipher 
has the paradoxical property that many equivalent secret keys (used for decryp- 
tion purposes) can be generated, while it is conjectured to be computationally 
impossible, given at most k equivalent secret keys, either to forge another un- 
traceable equivalent secret key or to reconstruct the “meta key” from which the 
original equivalent secret keys were derived. More precisely, the knowledge of 
the meta key allows to efficiently determine at least one of the equivalent secret 
keys used to forge the new description. 

The proposed construction can be described as an iterative block cipher. 
Its strength relies upon the intractability of the “Isomorphism of Polynomials,” 
a problem which has been extensively investigated over the past years [2,11,17] 
and which conjectured intractability has not been directly affected by recent 
advances in the cryptanalysis of multivariate schemes like HFE [9,10]. One of 
the advantages of the proposed scheme is to avoid generated overhead compared 
to the combinatorial approach taken in [3] where the data expansion is propor- 
tional to k. Another advantage is the intrinsic structure which is rather close to 
the one of usual block ciphers, so that the performance of the cipher in encryp- 
tion/ decryption modes is better than for existing traitors tracing schemes. Also 
the proposed scheme is much less sensitive to the maximum number k of traitors 
tolerated in a coalition, or to the maximum number of users N in the system. 
On the negative side, one should mention that the tracing procedures described 
in this paper require the knowledge of the description of the decryption function 
owned by a pirate. Thus no “black box” tracing procedure limiting interaction 
with the pirate decoder to “oracle queries” is provided. Another limitation of 
the proposed algorithm is that as usual in symmetric cryptography, no provable 
reduction to the difficulty of a well studied mathematical problem (e.g. the iso- 
morphism of polynomial problem) could be found. Thus, the security analysis we 
supply can only achieve the next desirable goal, i.e. investigate various attack 
strategies and make sure that identified attacks are thwarted. Because of the 
higher requirements on a traceable cipher, risks are obviously much higher than 
for usual symmetric ciphers. 

This paper is organized as follows. In Section 2, we describe the require- 
ments on a symmetric cipher with an associated non-combinatorial traitor trac- 
ing scheme. In Section 3, we describe the proposed iterative block cipher con- 
struction and the associated traitor tracing scheme. Section 4 provides an initial 
security analysis. Section 5 addresses performance issues and provides an exam- 
ple instance of the proposed algorithm with explicit practical parameter values, 
in order to stimulate improved cryptanalysis. Section 6 concludes the paper. 

2 Traceable Block Ciphers: Requirements and Operation 

Let us denote by Fjc, K, e K a symmetric block cipher of block size l, i.e. a 
key-dependent function from the set {0, 1}* of Z-bit input values to itself. As will 
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be seen in the sequel, it is not required that Fjc be easy to invert. It is not even 
an absolute requirement that the function Fjc be one to one, although the block 
ciphers proposed in this paper are actually one to one and can be inverted: in 
practice they are operated in the forward direction alone, except in some traitor 
tracing procedures. 

A traitor tracing scheme for N users associated with a traceable symmetric 
block cipher F/c consists of the following components: 

• A user initialization scheme deriving users’ secret keys from 

a meta key 1C € K. All user secret keys ICj must be distinct (though equiva- 
lent) descriptions jF]c of the meta function F^. Each description F/c j must 
allow to efficiently compute Fjc in the forward direction. 

• Encryption and decryption processes, respectively used by the operator 
of the broadcast distribution system to encrypt some digital content using 
F/c, and by the legitimate user j to decrypt this content using his recovery 
key K.j through the associated description Fk } of F/c. As explained in [4], the 
structure of the broadcast information typically consists of pairs (EB,, CBj) 
of an overhead information named “enabling block” and an encrypted con- 
tent block named “cipher block.” The enabling block is used to generate a 
symmetric key, hereafter called “control word,” to decrypt the cipher block 
via an additional symmetric scheme S, like for instance AES or one-time 
pad. As said before, F/c needs not to be invertible: it is used in the forward 
direction in both the encryption and decryption processes. 

• A tracing procedure allowing the owner of the meta key, when provided 
with any pirate description of the decryption function forged by any coalition 
of up to k traitors, to trace at least one traitor of the coalition. 

In this setting, the meta key’s holder creates cipher blocks CBj from blocks 
of plain text content Bj using an additional symmetric scheme S and enabling 
blocks EBj (produced for instance by a pseudo-random generator) via the formula 
CBj := S'cWj(Bj), where the control words CWj are derived from the enabling 
blocks using the traceable block cipher CWj := F*;(EBj). 





CBj 


CWj — | 5-1] 

1 


Fig. 1. Scheme’s Architecture. 
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The operations performed by legitimate users to decrypt these content blocks 
are summarized in Fig. 1. User j first derives the control word CWj from the en- 
abling block EBj via his description Tfy of the meta function: CWj = Tfy (EB,j. 
Then he uses the control word CWj to decrypt the cipher block CBj via the 
additional symmetric scheme S and recovers associated block(s) of plain content 
Bj = 'S'cwj (CBj). For instance, Bj = CBj ® CWj when S is the one time pad 
algorithm, and Bj = AES/,/.. (CB,) when S is the AES. In this context, con- 
trol words must be frequently generated to prevent attacks by redistribution of 
these control words to pirate decryption boxes from being much easier than the 
redistribution of plaintext. This is difficult to achieve with existing combinato- 
rial traitor tracing schemes due to the large data expansion incurred by such 
schemes. Another consequence is that the throughput (bit/s) of the F/c block 
cipher must be as close as possible to the throughput of classical block ciphers 
such as AES and much larger than the one of asymmetric ciphers such as RSA. 
An additional requirement for systems where K needs to be updated frequently, 
e.g. to manage dynamic modifications of lists of subscribers, is that each descrip- 
tion F/c j be reasonably short for the distribution via any symmetric encryption 
or key distribution algorithm to be practical. 

In order for the content distribution system to resist attacks against the 
decryption scheme, the descriptions F^ must satisfy the usual security require- 
ments of a block cipher. This implies that given any set of Tfy input/output 
pairs with known, chosen or even adaptively chosen input values an adversary 
could obtain, it must be computationally infeasible for this adversary to predict 
any additional Tfy input/output pair with a non negligible success probability. 
In particular input /outputs pairs must not reveal JCj or any other equivalent 
description of F/c- 

The last and most demanding requirement is the existence of an efficient 
traitor tracing procedure for the owner of the meta key 1C. Our definition of a 
traitor tracing scheme follows the one proposed in the seminal paper [4]. We 
do not require the traitor tracing scheme to be black box (i.e. to be operable 
using say only inputs EBj and outputs CWj of the key distribution function). 
We restrict ourselves to traitor tracing scenarios where an authority is able to 
access the description of the description of Fjc contained in the pirate decryption 
box. Note that it does not seem unrealistic to assume that decryption boxes of 
pirate users can be tampered by an authority, taking into account the fact that 
traitor tracing is only needed if the decryption boxes of legitimate users can 
be tampered. Traitor tracing requirements can be informally stated as follows. 
Attacks by any coalition of up to k traitors should be traceable, that is k traitors 
able to access their individual descriptions Tfy. should not be computationally 
able to forge any additional description F' from their k equivalent descriptions 
FjCj without revealing at least one of their Afy — and thus the identity j of one 
of the traitors. We further require that the probability for the tracing procedure 
applied to any fc-traitors coalition to either output no suspected traitor (non 
detection) or to output the identity j of an innocent user (false alarms) be 
negligible. 
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3 Description of the Traceable Scheme 

Among the requirements identified in the former Section, the most demanding 
one is not the existence of many equivalent descriptions of the symmetric func- 
tion F/c — this is frequent in symmetric cryptography, see for instance [1] — but 
the property that the provision to a user of one of these numerous representa- 
tions F/Cj should not disclose information allowing him to construct any other 
representation of F^ unrelated to K.j. In other words, the meta key K must act 
as a kind of trapdoor allowing to perform other operations than those allowed 
by the descriptions Ffc,. of F/c- Thus, even in the symmetric setting considered in 
this paper, public key cryptography properties are required and generic block ci- 
phers will not be usable like in the case of combinatorial traitor tracing schemes. 
However we would like to keep performance advantages of symmetric cryptog- 
raphy since generation of control words at high rate is necessary for the security 
of the system. 

Multivariate cryptography appears to be a natural candidate to meet these 
requirements. As a matter of fact, features of this recently developed family of 
algorithms are to many extents intermediate between those of public key algo- 
rithms (e.g. trapdoors) and those of secret key algorithms. Many of them can 
be described as iterative ciphers resulting of the composition of several rounds, 
and their complexity is substantially lower than the one of usual public key 
ciphers and not much higher than the one of usual block ciphers. Typical exam- 
ples of multivariate algorithms are C* proposed by T. Matsumoto and H. Imai 
in [13], SFLASHv2 (one of the Nessie finalists [19]), and HFE [16]. All the schemes 
mentioned above rely on the intractability of the so-called “Isomorphism of Poly- 
nomials” problem for the secret key recovery. See [7] for more information about 
known attacks against this problem. The C* scheme was attacked by Patarin 
in [15] and Dobbertin independently, but these attacks do not allow to recover 
the secret key and thus to break the underlying IP problem. An attack allowing 
to solve the IP problem underlying some instances of HFE, using so-called re- 
linearization techniques was published by Kipnis and Shamir in 1999 [11], and 
appears to be also applicable to the IP problem underlying some instances of the 
basic (quadratic) version of C*. More recently, enhanced decryption or signature 
forgery attacks against HFE and more generally various multivariate cryptosys- 
tems have been proposed [8,6,9,10]. But none of these recent attacks allows to 
recover the secret key and to break the underlying IP problem. Thus in summary, 
as far as we know, the best known attacks against the IP problem underlying 
multivariate schemes are those described in [7,11]. 

3.1 Building Blocks 

Let us briefly recall the basic quadratic C* from which the building block of our 
scheme is directly derived by generalizing it to monomials of higher degree. It 
involves the following elements: 
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# =i ‘Pi(xi ,. . . , x n ) 
2/2 —#(*!,.■ ,X„) 


Vn = Pn(X!, . . . ,X n ) 

Fig. 2. An extended C* building block. 

— A finite field K = F 9 of size q. 

— An extension L over SC of degree n, with a defining primitive polynomial 

P(X) of degree n such that L = SC[JA]/(P(X)). We will represent elements 
of L as n-tuples (ao, . . . , a n ) of SC through the usual identification function 
<P : (a 0) • • • , a n ) ^ £?= o (mod P(X)). 

— A private key made of two linear one to one mappings s and t from SC n to 
itself and an integer 6 such that q e + 1 be prime to q n - I . 

— A public key G = toip- 1 o Egoipo s, published as a system of n multivariate 
polynomials in n variables, where Eg is a monomial function defined to 
be L — > L, a i-» a 1+q . Assuming the trapdoor (s, t) unknown, function G 
was believed to be one-way, but J. Patarin showed in [15] that it can be 
computationally inverted. However, one-wayness is not needed in our scheme. 

The actual building blocks of our construction are higher degree variants of 
C* obtained by considering a more generic — but still monomial — function E, 
namely Eq : L — > L, a H > a 1+q 1+ ...+q d_1 where d is a fixed integer and 0 is a 
( d — l)-tuple (0i, ... , Qd-i) such that q n — 1 be prime to 1 + q ei + . . . + g 0 '* -1 , 
hereafter called the degree of the building block G. Indeed, G can be described 
as a system of n multivariate polynomial equations as suggested in Fig. 2, and 
the polynomials Pi involved have total degree d. For instance, in the special case 
where d= 3, G can be described as (i 1 , ,n): 

Vi= Olij^lXjXkXl + Pi,3,kXjX k + HjVj ■ C 1 ) 

0<j,k,l<n-l 0<3,k<f«-i 0<j<n-l 

The basic idea underlying the proposed traitor tracing scheme is to use several 
of those extended C* instances as building blocks for our construction and to 
take opportunity of the commutativity of the various monomial functions Eg 
involved — that is Eg 1 o Eg 2 = Eg 2 o Eg 1 for all 9\, 62- 

3.2 Meta-key, Users’ Keys 

Let us keep the notation of the previous Section. Moreover, let r be the number 
of building blocks. The meta secret key K is defined as the set of two one to one 
linear mappings s and t from K n to itself, and a collection of r (d— l)-tuples 6>, 
such that all the values 1 + q 01 ’ i d- . . . + g?*- 1 -* for i = 1, . . . , r be distinct. Then 
the function F/c is defined as F/c = ,s o E@ r o ■■ ■ o E@ 2 o E ( - )l o t. 
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Fig. 3. Description F Kj = G r ,j ° ■ ■ ■ ° G 2 ,j ° Gij. 

Now assign to each user j a private key Kj generated after the meta key /C 
using a set of r — 1 linear one to one mappings Lij, . . . , L r i j from K n to 
itself, and a permutation <jj of the set {1, . . . , n}. The user gets his key Kj as a 
list of functions G %j, . . . , G rj , which are provided as systems of n multivariate 
equations of homogeneous degree as described in Figs. 2 and 3. 

A user initialization scheme needed to derive a user’s key from the meta key 
K follows. From any input j one creates the permutation <jj and the r — 1 one 
to one mappings Lij by any pseudo- random generation mechanism or by any 
diversification algorithm. 

We can now check that the users’ functions Fjc j are distinct but equivalent 
descriptions of the meta function Fjc . Indeed, for each user j, the one to one 
mappings at the end of Gk,j and at the beginning of Gk+ij cancel out, and since 
the functions Eq are commuting, the effect of the permutation is annihilated. 

3.3 Encryption and Decryption 

In order to encrypt a digital content, the station may broadcast enabling block 
and cipher block pairs (EB,, CB. ( ) produced with the help of any additional sym- 
metric algorithm .S'cw where the symmetric key is the control word generated as 
CW := Fx;(EBj). Thus, the construction is given by CBj := SV )c (EB i )(Bi); where 
Bj denotes the content block. Now any user j can recover the content block by 
following a similar procedure, that is by computing Bj := 
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3.4 Traitor Tracing Procedure 

The procedure to identify traitors relies upon the two following claims which are 
substantiated in the security analysis given in the next section. 

Claim 1. When the leakage originates from a single traitor Z, the analysis of the 
description F' constructed by the traitor based on his description Fjc, allows the 
authority to decompose F' in r components G\ to G' r such that F' = G' r o ■ ■ ■ o 
G\. Moreover, each G\ can be split as the composition of the functions G t of 
the traitor and other “parasitic” functions which may differ from the identity 
function. Thus, the analysis reveals the order of composition of the functions G, 
which in turn reveals the identity of the traitor through the knowledge of 07 . 

This first claim allows an authority provided with the meta key K to effi- 
ciently derive the permutation 07 associated to the description F/c, of the traitor 
from the leaked function F' , and thus to recover the identity l of the traitor. 

Claim 2. When the leakage originates from a coalition of at most k traitors, the 
analysis of the description F' constructed by the k colluding traitors allows to 
decompose F' in r components G\ to G' r such that the middle r — 2p values 
come from “parasitized” functions G, of a single traitor, for a well chosen p. 

This second claim allows, by properly choosing the parameters of the system, 
specially p which exact definition is to be given in the next Section, to recover the 
identity of one of the traitors — say j by deriving the values of the permutation 
c Tj on the set of integers [p, r — p] from the values of the functions G p .j to G r - P j 
alone. To achieve this goal, we must ensure that the middle part of the pirate 
description F' originates from the middle parts p to r — p of one single traitor, 
while mixing traitors’ descriptions in the ranges [l,p] and [r — p,r\ can still be 
tolerated. 

4 Security Discussion 

4.1 The IP Problem 

The security of the proposed traceable iterated symmetric cipher relies to a large 
extent upon the security of special instances of the “Isomorphism of Polynomi- 
als” problem — hereafter called IP — namely the problem of finding the hidden 
monomial of the extended Matsumoto-Imai C* scheme described in Section 3.1. 

The IP problem with two secrets — see also [7,17] — consists in finding a pair (s, t) 
of one to one linear mappings between two sets A and B of multivariate polyno- 
mial equations of total degree d over a finite field K. Denoting by x = (x ± , . . . , x n ) 
an element of K” , we can write y = A(x) as a system of polynomial equations: 

{ 2/1 = Pi{x i,...,.® n ) 
y 2 = l\{x x ,...,x n ) 

Vn = P n (xi, • • • ,£«) , 



340 Olivier Billet and Henri Gilbert 


and similarly for B. In this setting the IP problem consists in finding a pair of 
one to one linear mappings s and t such that: 

B(s(x)) =t(A(x)). (2) 

This problem is assumed to be difficult and it has been shown to be at least 
as hard as the “Graph Isomorphism” problem. Even for very special instances 
complexity remains high [2,6]. Note also that an efficient solution to the IP 
problem would lead to an efficient attack on SFLASHv2 [19] that has been selected 
by the European Nessie project. 

4.2 Resisting Attacks against the Decryption Scheme 

As explained in Section 2, the descriptions F^. of any user j must satisfy the 
usual security requirements of block ciphers. In particular, given any realistic 
number of input/output pairs of EW corresponding to chosen or adaptively 
chosen input values, it must be computationally infeasible to infer any additional 
output value. Based on an investigation of the most natural attack strategies, 
we conjecture that this property is satisfied provided that: 

1. Parameters q and n be chosen so that even if the monomial functions Eq x , 
Eq 2 , ..., E, 9 n can be guessed, solving the IP problem which consists of 
guessing s and t given a sufficient large number of input /output pairs of 
Ffc,. be intractable. Based on the results in [7,2] we expect this condition 
to be satisfied provided that the complexity q n of the best know attack be 
large enough, say at least 2 80 . Since an enhanced attack of complexity q n ^ 2 
is reported in the quadratic case in [7], an even more conservative choice 
would be to consider q n > 2 160 in order to prevent a generalization of this 
attack to other instances of IP. 

2. The value q D , where D is the degree of the system of polynomial equations 
in n variables representing any F/c be large enough, say at least 2 80 , to 
prevent attacks based on higher order derivation. Indeed, this would allow 
an attacker to predict one more output given an affine set of q D+1 input 
values and and all but one of their corresponding outputs. D is about nq 
when r is large enough and q is the size of the finite field K; 

3. The number of monomials of the system of n polynomial equations in n vari- 
ables representing any F Kj , which is usually close to n( ri+ ^ _1 ), be large 
enough to prevent an attacker from recovering the coefficients of this system 
using linear algebra and a sufficient number of input/output pairs of Fjc i . 


4.3 Tracing Single Traitor’s Pirate Description 

We anticipate that in trying to produce an untraceable version of his description 
F/c , a traitor j would adopt one of the following strategies: 
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1. Try to find one of the r + 1 one to one linear mappings s, Lij, E^j, . . . , 
L r -i j and t, hidden to the attacker j. If an attacker j could recover one 
of these r + 1 linear mappings, say L/j, this would obviously allow him to 
incrementally recover all the L t j for i < l, and all the for i > l, using 
the information provided by the mappings G ij to G r j, and thus to recover 
the value of lCj and to easily produce variants of his description F/c :) in an 
untraceable manner. Conversely, we conjecture this to be as hard as solving 
the IP problem of at least one of the Gij. The complexity of the best attacks 
reported in [7] are 0(q n ) in case d > 2 and 0(q n / 2 ) in case d = 2. 

2. Try to directly use the functions G.j without analyzing them, by modifying 

them so as to produce a concealed variant of the original description by 
composing the basic blocks G.j in the same order, but with “parasitic” 
functions whose effects eventually cancel out. That is the traitor tries to 
produce a sequence with two types of blocks G': those which can 

be written as ipi o G lJ o ip i+ i and those that do not rely on the available 
Gij blocks and are denoted by IT, . These data must be such that the effects 
of adding/composing the ip, II and ip mappings to the original blocks Gij 
eventually cancel out, that is so that F^,. = G' w j o • • • oGy. (Please note 
that w can be greater than r because of the second type of blocks.) Also 
note that p t , ip t and H, have to be simple enough — for instance a reasonable 
number of monomials and a limited total degree — so that they could be 
easily constructed and efficiently computed. 

3. Try to compose several blocks Gij of his description. This attack is impos- 
sible as soon as the number of monomial in such composition is impractical. 
Since composition must be formally computed, (” + ^ _1 ) terms must be for- 
mally put to the power of d which is quickly intractable. As will be seen 
in the sequel, composition of a small number of blocks Gij, say 2 of them, 
do not substantially complexify the tracing procedure. Therefore, only the 
composition of more than 3 blocks must be prevented. 

4. Use a combination of any of the above strategies. 

To trace traitor j from a pirate description G\, . . . , G' w , the authority pro- 
ceeds as follows. First, note that G\ is necessarily of the form ipioL\joEs a . m os, 
that is of the first type. The authority thus searches for aj( 1) by using its knowl- 
edge of s -1 , and all the Eq 1 : it computes G\ o s -1 o Eq 1 for each i, and guesses 
the right value i by testing the “simplicity” of the resulting function by means of 
chosen input/output pairs. The simplicity is evaluated by estimating the degree 
and the number of monomials. In case of a correct guess, the function has a 
low degree and a predetermined number of monomials whereas in case of a bad 
guess the function has terms of high degree. Having guessed the value <7j(l), we 
denote it by a(l). 

The authority then has to get rid of terms of second type Ili, until another 
term of first type is found. This is done again by evaluating the simplicity of the 
successive compositions: 
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G' 2 o G[ o s- 1 
G' 3 o G' 2 o G\ o s- 1 



each time for all i until a simple composed function is found. The authority then 
finds the value <Jj{2) and denotes it by a(2). The process goes on iteratively and 
eventually gives the permutation oj allowing the authority to trace traitor j. 

While choosing the parameters of the system, we will make it hard for an 
attacker to formally compose two extended C* blocks and totally intractable to 
compose three of them. The composition of two consecutive blocks can be easily 
thwarted since the above guessing procedure remains valid when replacing Eg 1 
by Eq 1 oEq 1 varying both i and j at the same time, thus allowing to trace such 
compositions of two blocks as well. 

4.4 Tracing k Traitors’ Pirate Descriptions 

The best collusion strategy we identified for a coalition of at most k traitors 
provided with distinct descriptions F/c j = G r> j o ■■ ■ o G ij associated with the 
same meta description F/c is the following one. 

The basic idea is that the traitors may take advantage of the fact that the 
initial mapping s and the final mapping t are identical for every user. This 
could allow them to detect a partial collision between their respective hidden 
permutation a. Let us take the example of two traitors j and l searching for 
such a collision. They know their first blocks begin with the same mapping s, 
and if their first functions E a .^ and E ai { i) were equal, then blocks Giy and G\ t i 
would be equal up to a one to one linear mapping, namely o L\j. Otherwise 
it would not be a one to one linear mapping. This is easy to test and provides 
a way for a pair of traitors to guess if their permutations take the same values 
on 1, i.e. if oy(l) = u,(l). 

Now, whether they succeed or not in the last step, the pair of traitors go fur- 
ther in the process by checking whether G2J0G1J and G2.10G1J are equal up to 
another hidden one to one linear mapping. (Remember that the commutativity 
of the functions E@ t makes this possible.) In case of success, this would allow 
them to deduce that the images of the unordered set {1, 2} under both permu- 
tations are equal: crj ({1,2}) = 07 ({1,2}), and provide them with the value of 
L 2 j o L'2 t i- By iterating the process, the pair of traitors may identify any colli- 
sion of their respective permutations on the set of integers [1, t] for any t € [1, r], 
hereafter called a t-collision. Moreover, any detected f-collision provides a way to 
forge two new pirate descriptions by exchanging the first t components of their 
respective descriptions of the meta function F/c, as shown in Fig. 4. 

Note that the traitors can search for all collisions. That is, when no w-collision 
was found for u < f, it still remains possible for them to find a t-collision, when 
such a collision exists. Of course, this scenario can be replayed with other traitor 
pairs, or even with the newly forged descriptions, leading to a possible great 
amount of untraceable pirate keys. 
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Fig. 4. 

To avoid this situation, one encodes the identity of any user i in the values 
taken by the permutation cq on the middle interval \p, r — p] of the original one 
[l,r], for some well chosen p < r/2 so that the probability of any t-collision for 
t e [p, r — p] is arbitrarily small. 

Obviously, attacks involving a single traitor can also be used by coalition of 
traitors in addition to the specific techniques discussed in this Section, but those 
can be handled the same way. 

4.5 Non-detection and False Alarms 

Let us derive the requirements the attack scenario of the previous Section puts 
on parameter p. First, for any traitors’ pair, the probability that a t-collision 
holds is l/(j). Thus the probability that a t-collision for a coalition of up to 
k traitors occurs for t £ [p, r — p] is at most 

_ k(k - 1) ^ J_ 

2 h © ‘ 

At the same time, permutations of users must be distinguishable from their 
values in the interval [p, r — p] . This implies that the number of distinct identities 
available for the system will be at most M = r!/(2 p)\. 

Now if the scheme needs to handle at most N users where N < M, and 
assuming a coalition of up to k traitors, the probability of non-detection (the 
authority detects a collusion, but no matching identity is found) is given by 
Pk, nd = (1 N/M ) Pk while the probability of false alarm (a wrong identity is 
pointed out) is given by Pk , fa = N/M Pk- This comes from the fact that there 
are (M — N) permutations that do not correspond to any valid identity. 

5 Practical Example 

We provide realistic example parameters such that the scheme accommodates 
N = 10 6 users. The field of operation K is taken to be GF(2 16 ) so that m= 16 
and q = 2 16 . Moreover, we chose n = 5 and the degree of the monomials in an 
extended C* block to be d = 4. There is a total of 32 distinct (d — l)-tuples 0 
such that 1 + q 61 + . . . + q 0d - 1 is prime to q n — 1. 

Letting r = 32 and p = 13 makes the probability of false alarms smaller 
than 2 10“ 10 for any coalition of up to k = 10 traitors, smaller than 2.2 10 -8 
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for k = 100 traitors and smaller than 2.3 10 -6 for k = 1000. Probability of 
non-detection is smaller than 1.2 10 -7 when k = 10, smaller than 1.5 10 -3 when 
k = 1000. Other security requirements are met since q n = 2 80 and furthermore 
the number of monomials in a building block of F/c is 350, so that in any for- 
mal composition of three of them the number of monomials is already more 
than 410 6 , and in any formal composition of four blocks it is about 10 9 . 

With this choice of parameters, the total size of any description equivalent 
to F/c is 21,8 KB. Speed of encryption is essentially determined by the number 
of multiplications in F Kj to be performed and can roughly be estimated as 
follows: the 70 terms x^ 1 ■ ■ ■ x^ 5 of total degree four can be computed once for 
each block and then multiplied by the appropriate leading coefficients of the 
polynomials describing each output variable of a block. So one can compute 
the 70 homogeneous terms of degree 4 in 85 multiplications in IK and eventually 
compute j/i, . . . , j /5 in at most 5-70 multiplications in IK. Since there are 32 blocks, 
that makes a total of about 15000 multiplications to process any Fjq on the 80 bit 
input. Additionally, the size of the overhead in this example is obviously 80 bits. 

We propose another realistic set of parameters, hopefully more conservative, 
for applications where storage and speed of encryption are less critical concerns. 
The scheme handles up to IV = 10 6 users. The field of operation is taken to 
be GF(2 9 ), while the number of variables is set to n = 19 and the degree of 
the monomials is set to d = 3. There is a total of 190 distinct (d — l)-tuples O 
such that 1 + (f 1 + . . . + (f d ~ x is prime to q n — 1. Choosing r = 33 and p = 10 
makes the probability of false alarms smaller than 1.4 10“ 19 for any coalition 
of up to k = 10 traitors, smaller than 1.52 10 -15 for any coalition of up to 
k = 1000 traitors, and the probability of non-detection smaller than 5 10 -7 for 
any coalition of up to k = 10 traitors, smaller than 5.4 10 -3 for any coalition of 
up to k = 100 traitors. Security requirements are met since q n = 2 171 and the 
number of monomials in a building block of F/c is 25270, so that in any formal 
composition of three of them the number of monomials is already more than 
90 10 6 and in any formal composition of three blocks it is already more than 
310 13 . In that case, the size of any equivalent decryption key is 916 KB. The 
1330 monomials can be computed in 1520 multiplications in IK so that a building 
block requires 26790 multiplications and it takes about 900000 multiplications 
to evaluate any description Fjc on the 171 bits of the input. The overhead is 
obviously of 171 bits. 

6 Conclusion 

A novel iterative block cipher which can be operated in a traceable manner has 
been introduced. The attacks investigated in our initial security analysis are 
easy to prevent by properly selecting system parameters. Improvements in these 
attacks are of course not precluded, since no reduction proof of the security to a 
well identified mathematical problem was found apart from obvious connection 
to the “Isomorphism of Polynomial” problem. Risks are obviously higher than 
for usual symmetric ciphers. 
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k 

10 

100 

1000 

Pk, FA 

< 210" 10 

< 2.2 10" 8 

< 2.3 10“ 6 

Pk, ND 

< 1.2 10" 7 

< i.5 nr 5 

< 1.5 10“ 3 


N = 10 6 , r = 32, p = 13, n = 5, F = GF(2 8 ). 


k 

10 

100 

1000 

Pk, FA 

< 1.4 10“ 19 

< 1.5 10“ 17 

< 1.6 10“ 15 

Pk, ND 

< 510“ 7 

< 5.4 HT 5 

< 5.4 10“ 3 


N = 10 6 , r = 33, p = 10, n = 19, F = GF(2 9 ). 

Fig. 5. Summary of parameters and corresponding probabilities. 

Natural questions also arise: What security does the “Isomorphism of Poly- 
nomials” problem provide for small values of the number n of variables like those 
suggested in Section 5? Also, other building blocks could be considered, e.g. vari- 
ants with two or more branches in each extended C* block. Studying the effects 
of releasing the constraint that the monomial functions be distinct may lead to 
some performance improvements. We also note that since each user possesses an 
equivalent description, he is able to broadcast data to every other user. Besides 
traitor tracing, another interesting application of the proposed construction is 
whitebox cryptography [5]. Indeed, advantage can be taken from the fact that 
one can easily construct a huge number of equivalent descriptions, while those 
descriptions can be made arbitrarily large. 

In its current shape, the proposed traceable block cipher has the advantage 
of being very insensitive to the maximum number of traitors tolerated while ac- 
commodating a large number of users. Due to its intrinsic block cipher structure 
and due to the fact that it does not generate any data expansion overhead, its 
implementation can be made very efficient. 
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Abstract. Khazad is a new block cipher initially proposed as a can- 
didate to the NESSIE project. Its design is very similar to Rijndael, 
although it is a 64-bit block cipher. In this paper, we propose a new 
attack that can be seen as an extension of the Square attack. It takes 
advantage of redundancies between the round key derivation and the 
round function, and also exploits some algebraic observations over a few 
rounds. As a result, we can break 5 rounds of Khazad faster than ex- 
haustive key search. This is the best known cryptanalytic result against 
Khazad. 

1 Introduction 

Many recent block ciphers are built using an iterative Substitution Permutation 
Network (SPN). This includes in particular Shark [14], Square [5], Rijndael [6], 
Anubis [1] or Khazad [2]. These ciphers are generally designed to be immune 
against differential and linear cryptanalysis. However, a new powerful class of 
attack has emerged recently, the “Square” attack which was initially a dedicated 
attack [5] against the Square block cipher. It takes advantage of the bijectivity 
of most components of these ciphers (S-box, round key addition, . . . ) , without 
analyzing their precise behavior. More generally, this class of high-level attacks 
can be seen as a dual technique to differential and linear cryptanalysis since it 
is based on the propagation of distributions along the cipher for a large set of 
plaintexts, rather than on statistical properties for a single plaintext (or a pair 
of plaintexts). 

Since then, this technique has been successfully applied to many other block 
ciphers (see [3] and [8]). Currently, one of the best known attacks against Rijn- 
dael is Gilbert-Minier’s collision attack on 7-rounds [9] which can also be seen 
as an extension of the “Square” attack. Besides, a more generic name for this 
technique, namely the “integral” attack has been recently proposed [10] . We use 
this terminology in the present paper. 

Khazad is a 64-bit SPN block cipher with 8 rounds. It offers several interesting 
features. First, it achieves full diffusion over one round using an MDS matrix 
layer. Furthermore, all components are involution, so the only difference between 
encryption and decryption lies in the key scheduling. Thus the same security is 
expected in both directions. 

Khazad was initially proposed as a NESSIE [11] candidate for 64 bits block 
cipher. However, it was not selected due to his low security margin [12]. In the 
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Section 2, we provide some background about Khazad. Then, in Section 3 we 
present new observations about this cipher that we later exploit to mount a 
5-round attack. 

2 Some Background about Khazad 

Khazad is a byte-oriented cipher. Indeed, all operations handle bytes of data: 
S-box, linear application over GF(2 8 ), .... Like most word-oriented ciphers, 
Khazad may thus be subject to integral attacks. First, we describe quickly the 
main components of Khazad, then we present previously known cryptanalytic 
results against this cipher. 


2.1 Description of the Cipher 

We only give a short overview of Khazad. More details can be found in [2]. 
During encryption, it iterates 8 times a SP round function. Throughout this 
paper, we denote by P its linear layer and S its S-box layer. Thus, each round 
consists, in this particular order, of 

— a S layer where a fixed S-box is applied to each byte of the current state. 

— a P layer which consists of a square matrix in GF( 2 8 ) of size 8 

— a XOR layer, using the corresponding round subkey. This layer is called Xi 
at round number i. 

A first XOR layer is applied prior to the first round. Besides, the last round does 
not include a matrix layer. Thus the full encryption function can be written as 

(X a o S) o (X r o P o S) o ■ ■ ■ o (X 1 o P o S) o X 0 

By convention, the notation “0.5 round” denotes either the first two layers of 
the round (the S and P layers together), or the XOR layer alone. 


2.2 Previous Results about Khazad 

All cryptographic results concerning Khazad are summarized in Table 1. The 
best known attack so far was the straightforward application of the integral 
attack, originally proposed by the designers of the cipher [2] . Indeed, if a set of 
256 plaintexts is introduced, such that the first byte takes all 256 possible values 
while other bytes have constant values, distributions for each byte can be easily 
described over 2 rounds (see Figure 1). For each byte, the following notations 
are used to represent these distributions over this set of 256 plaintexts 

- A represents bytes where “All” possible values are represented exactly once. 

- C represents bytes which have a “Constant” value 

- S represents bytes where the “Sum” of all values is 0. 
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A | C | C | C | C | C | C | C 

| 1 round 

A | A | A | A | A | A | A j~A 

| 1 round 

s I s I s I s I s I s I s I s 


Fig. 1. The straightforward integral attack. 
Table 1. Summary of Known Attacks Against Khazad. 


Type of Attack 

Rounds 

Time 

Data 

integral attack [2] 

3 

2 16 

2 9 

impossible differential [12] 

3 

2 64 

2 13 

integral attack [2] 

4 

2 8° 

2 9 

weak keys [4] 

5 

2 43 

2 38 

improved integral (this paper) 

5 

2 91 

~ 2 64 


From Figure 1, it appears that all bytes have a S distribution after 2 rounds. 
Such balanced distributions provide a 2-round distinguisher. Since there is no 
matrix layer in the last round, the corresponding subkey bytes can be guessed 
separately to mount a 3-rounds attack against Khazad. The resulting complexity 
is roughly 2 16 S-box lookups and 2 9 chosen plaintexts. Besides, this attack can 
be directly extended to 4 rounds by guessing one additional subkey. This increase 
the time complexity by a factor 2 64 . 

Other attacks have been examined throughout the NESSIE evaluation pro- 
cess. An impossible differential attack exists on 3 rounds of Khazad but its 
complexity is larger than the integral attack [12]. The design rationale appar- 
ently prevents differential and linear attacks since a large number of S-boxes is 
activated at each round. Besides, Gilbert-Minier’s attack on Rijndael does not 
apply very well here, since it requires partial collision. New ideas to attack in- 
volutional ciphers have been recently proposed [4]. Indeed the cycle structure 
of 5-rounds Khazad presents some surprising properties. However these obser- 
vations do not result yet on a concrete attack. Finally, the only cryptanalytic 
result on 5-rounds Khazad is the class of 2 64 weak keys identified in [4] which 
can be broken with 2 43 steps of analysis using 2 38 encryption blocks. 
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3 New Observations on Khazad 

In this Section, we investigate some properties of Khazad. Our first observations 
concern the key scheduling, which is a Feistel network based on the round func- 
tion. We show some surprising weaknesses resulting from this redundancy. Then, 
we describe some algebraic properties of the cipher over a reduced number of 
rounds. 


3.1 Redundancies in the Round Key Derivation 

In order to speed up Khazad while keeping the same security, its designers 
adopted a key scheduling that inherits many properties of the round function. 
While this key scheduling can be viewed as a simple Feistel network, the deriva- 
tion of the i-th round key K, is basically just one round of encryption applied 
to Kj_i, with a particular XOR layer. Initially, the actual 128 bits of secret key 
are splitted into K_ 1 and K_ 2 which serve as initial values. Thus, we have the 
following relation, for 0 < i < 8, 

Ki = P o S(Ki_ i) © Ci © Ki - 2 (1) 

where the Ci s are round constants. The use of the round function during key 
scheduling creates surprising cascade eliminations during encryption. To illus- 
trate this, we consider encryption of the plaintext 

Plain = K 0 0 S o P(0) 

which depends only on the first subkey Kq. After 1 round, the internal value 
(denoted as Iv i) is 


Ivi = Ki © P o S(Plain © Kq) 

= K 1 ®PoSoSo P( 0) 

= Ki 

since P and S are involution. Then, after the second round, the internal value 
Iv 2 is 

Iv 2 = K 2 © P o S(Iv i) =K 2 ®P o S(K i) = Kq © C 2 
because of relation (1). Thus, Iv 2 is basically known when Kq is known, inde- 
pendently of K\ and K 2 . The following S and P layers can also be included, so 
we obtain an internal value depending only on Kq after 2.5 rounds. 

Many similar eliminations can be obtained with chosen plaintext or cipher- 
text once a round key is known (or guessed). Obviously, this observation suggests 
guessing Kq to obtain a known intermediate value and then trying to extend 
these observations over the last rounds. We describe such an attack in Section 4. 

3.2 Algebraic Properties of 2.5 Rounds of Khazad 

In this section, we consider the algebraic properties of Khazad. More precisely, 
we show that the last 2.5 rounds of Khazad can be expressed using a reduced 
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number of algebraic relations. We also show that this system can be used to re- 
trieve several subkey bits, once a few intermediate values and their corresponding 
ciphertexts are known. 

As it was originally argued in [10], interpolation and algebraic attacks are 
good candidates to be combined with an integral attack which usually provides 
known intermediate values (or linear relations between these values). In the case 
of Khazad, we consider the following situation, encountered later in Section 4. 

— We know 256 full intermediate values: Y), . . . , Y^g. 

— 2.5 rounds of encryption remain unknown. The 3 corresponding round keys 
are denoted as K, K' and K" . 

— The resulting ciphertexts Z\,...,Z 2 ^ are known. The last 2.5 rounds of 
encryption can be expressed as 

% = K" ® S(K' ®Po S(K ® Yi)) 

or, equivalently, 

S(Zi © K") = K'®P o S(K © Yi) 

for 1 < i < 256. Then, the first byte of S(K © Yj), later referred to as Wj can 
be obtained by just guessing the first byte of K. Let P\ (x) denotes the linear 
function that returns the first byte of P(x) for any 64 bits input x. We have the 
following relation 

Pi o S(Zi © K") = Pi (K r ) © Wi (2) 

In addition, if we guess the byte Pi(K'), we obtain, for each i, a condition on 
K" of the form 


Pi o S(known © K") = known (3) 

While it is not straightforward to solve such a non linear system, we apparently 
obtain enough conditions to retrieve the value of K" . 

Suppose we replace, in relation (3), the S-box by its exact algebraic interpo- 
lation over GF(2). From the left hand side of (3), one sees that only a reduced 
number of monomials in the bits of K" appear. Indeed, S operates on the bytes 
of K", thus the monomials are those involving bits of K" that “belong” to the 

same byte. For instance, representing K" as (Pi k&i)? all monomials over 

(fci, . . . , ks) may appear while no monomial involving simultaneously kg and kg 
can appear. 

Thus, (3) can be seen as a system of 8 relations over GF(2) involving 8 x 2 8 = 
2 11 monomials in the bits of K" . Since 256 such relations are known (one for 
each i = 1, . . . , 256), we obtain a system with 2 11 unknown monomials and 2 11 
relations. Two bytes of round keys have been guessed to build this system. 

3.3 Properties of the Linear System 

In the previous Section, we built a linear system over GF(2) of 2 11 relations 
involving 2 11 unknowns, which are monomials over the 64 bits of the last round 
subkey. This can be summarized as 
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b = M x 

where x and b are vectors of 2 11 bits and M is a square matrix obtained af- 
ter replacing the S-box by its algebraic expression over GF(2). x contains the 
unknown monomials and, for i = 0, . . . , 256, each relation (3) is turned into 
eight conditions on the bits of x, that correspond to bits bgi, , & 8 i +7 of b. More 
precisely, from relation (2), we see that, for all i, 

b i = c i ®{P 1 (K') }i 

where {Pi(K')}i denotes the bit number (i mod 8) of Pi(K'), and c,; depends 
only on the intermediate values and the first byte of K. 

In the general case, one could expect to solve this system by inverting the 
matrix M. However, M is built from an S-box interpolation, thus it is not a 
random matrix. It turns out that rows of M cannot have full rank for two 
reasons: 

- The algebraic degree of the Khazad S-box is 7, therefore the 8 columns of 
M corresponding to monomials of degree 8 necessarily contain only zeroes. 

- The coefficients of M corresponding to degree 7 monomials are independent 
of the plaintext. 

Indeed, every output bit Sj of the S-box can be represented by a relation of the 
form 

*> = E /?i ai ’-’ a 8 ) c---c (4) 

«]+••• • o s <7 


for some coefficients /3j ai "''’ Q8 \ with (fi, . . . ,i 8 ) denoting the input bits. 

However, M is obtained by applying several times the S-box to inputs of the 
form 

(*i, • • • ,is) = (ci ® h, . . . ,c 8 © fc 8 ) 

where the c,’s are ciphertext bits and the kf s are subkey bits. Substituting these 
values in (4), it is clear that terms of degree 7 in the subkey bits are independent 
of the Cj’s. Therefore, for alii = 0, ... , 256, relation (3) always provides the same 
coefficients for degree 7 monomials. The 64 corresponding columns of M are not 
free (and in fact have rank 8). 

Moreover, when computing b t © b$i+t for i = 1, . . , , 255 and t = 0, . . . , 7, 
monomials of degree 7 are eliminated. Hence, we can obtain 8 x 255 = 2040 
new relations of degree 6, thus involving only 2 11 — 8 — 64 = 1976 monomials. 
This result on a new matrix M ’ having 2040 lines and 1976 columns. The initial 
system 

b = M x 

can be rewritten as 

b' = M' x' 

where the vector b' contains 2040 bits of the form bt © bgi+t and x' contains the 
1976 monomials of degree 6 or less. Besides, b' does not depends on K' , whose 
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bits get eliminated when computing b t © &8*+t- A direct application of the gauss 
algorithm on M' provides at least 64 conditions on its rows, thus conditions on 
the bits of b' . These conditions must be satisfied when the correct byte of K has 
been guessed. 

Therefore, we do not have to solve the initial system. From the interpolation 
matrix M, we can build 2040 — 1976 = 64 linear conditions and thus detect the 
correct guess for the corresponding 8 bits of K. We programmed this algebraic 
step using the NTL library [13]. It turns out from our experiment that the kernel 
of M' has always rank 64 (although it would be no problem if its dimension was 
larger). Thus we obtain easily enough linear conditions to verify the correct 
guess. 

To summarize, we have shown that the last 2.5 rounds of Khazad can be 
expressed with a low degree algebraic system, after guessing a reduced number 
of bits. 64 linear conditions can be used to discard wrong guesses without actually 
solving this system. 

4 An Attack against 5 Rounds of Khazad 

In this Section, we develop the previous observations on Khazad to mount a new 
attack against 5 rounds of this cipher. The sketch of this attack works as follows 


4.1 Sketch of the Attack 

— Guess all 64 bits of K 0 

— Guess 8 bits of K\ 

— Introduce 256 chosen plaintexts in order to 

• apply the integral attack, starting from the end of the Xo layer 

• obtain known intermediate values after 2.5 rounds as in Section 3.1 

— Build the interpolation matrix as described in Section 3.2. 

— Build 64 linear conditions from the matrix. 

— Guess the first byte of K 3 

• Verify the linear conditions. 

• Discard wrong guesses. 

— A large portion of guess of Kq and K\ are also discarded through the absence 
of a matching K 3 

— Recover the whole secret key. 

Most elements in this attack have been developed previously. Additional 
elements needed to connect all together are described in the following section. 


4.2 Strengthening the Integral Attack 

Once Kq has been guessed, we can choose the plaintext Plain to obtain any 
intermediate value after 0.5 round, since this value is equal to PoS(Plain®K 0 ) 
(and also to K\ © Iv i). We consider an integral attack starting from there. Let 
us consider the set of 256 plaintexts such that Iv i © K\ takes all values on its 
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first byte and has constant value equal to 0 on its other bytes. This can be 
represented as 

I Vl =K 1 ®{i, 0,0, 0,0, 0,0,0) 

for 0 < i < 255. As in the classical integral attack, we obtain A distributions 
after 1.5 round and S distributions after 2.5 rounds. Besides, since the first byte 
of Ki is guessed, we have, for all i 

Iv 2 = K 2 ®Po S(K i ® (i, 0, . . . , 0)) = K 0 © C 2 ® P( A) 

where A is known. Hence, we obtain 256 known intermediate values after 2.5 
rounds. Moreover these values are balanced as in the integral attack of [2] though 
we do not specifically use this property. 

Then, we are exactly in the situation described in Section 3.2 with 256 known 
intermediate values and the corresponding ciphertexts, with 2.5 rounds inbe- 
tween. We have seen that a matrix can be built and 64 linear conditions derived 
from this matrix. Using them, we can guess then verify the value of the first 
byte of A3. Since there are 64 conditions, many wrong guess on Kq and Ki can 
even be filtered out by the absence of a matching value for K 3 . The number of 
remaining guesses afterwards is only 

2 64 x 2 s x 2 s x 2 -64 = 2 16 

thus we can guess the 56 remaining bits of Ki and deduce the full secret key - 
which is equivalent to (K 0 ,Ki) - for a total complexity of 2 80 basic operations. 

In fact, the linear algebra step has a larger complexity. The matrix we build 
is independent of the 8 guessed bits of Ki , so we need to built it 2 64 times, and 
then apply the Gaussian algorithm in each case. This algorithm has complexity 
of (2 11 ) 3 binary operations. Using 32 bits instructions, it can be fasten up to 
obtain a complexity equivalent to 2 28 S-box lookups. Thus, this step is roughly 
equivalent to 2 64 x 2 28 = 2 92 S-box lookups. 

On the other hand, building the matrix of interpolation has a much smaller 
complexity since it can be largely precomputed (it is just a collection of smaller 
matrix blocks, each depending on 8 bits of ciphertext). Besides, the cost of 
verifying linear conditions corresponds in average to 2 72 x2 8 x2 = 2 81 evaluations 
of linear conditions on 2 11 bits long vectors, each costing roughly 2 x 2 11 bitwise 
operations. Using 32 bits instruction, this is roughly equivalent to 

2 81 x 2 11 x 2 x 2 -5 = 2 88 

S-box lookups. Therefore, the dominant cost in our attack is the linear algebra 
step. 

To summarize, our attack against 5 rounds Khazad recovers the full 128 bits 
secret key with time complexity equivalent on average to 2 91 S-box lookups and 
using basically the complete dictionary of 2 64 plaintexts. 
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4.3 Overview of Cryptanalytic Results against Khazad 

In Table 1, we have summarized all known cryptanalytic results against reduced- 
round versions of Khazad. Our improved integral attack is the best cryptanalytic 
result against Khazad. However, its data complexity represents in average the 
complete dictionary of 2 64 plaintexts. Indeed, we need to encrypt 256 plaintexts 
for each guess of the first subkey. It is possible that the correct subkey is identified 
early, however, in average, all possible plaintexts will have been encrypted by 
the time we find the correct Kq. We did not manage to find a technique to guess 
the subkeys in a better order, or to trade data complexity for time complexity. 
This is a topic for further research. 

In practice this huge data complexity will make the attack infeasible, al- 
though it is significantly faster than exhaustive key search. Furthermore, it is 
widely considered that recent block ciphers should resist key recovery attack 
even when the full dictionary is known. Therefore, we consider this new attack 
is a significant step forward in the analysis of Khazad. Whether it can be ex- 
tended to 6 or more rounds remains an open question that should be further 
investigated. 

5 Possible Extensions 

The attack we have described in Section 4 does not depend in depth from the 
components of this cipher. Concerning the S-box, the only property we use is its 
algebraic degree of 7. Concerning the MDS matrix, no property is specifically 
used. Therefore, Khazad cannot be strengthen by changing these components, 
and our attack depends only on the high-level structure of the cipher. 

5.1 Key Scheduling Redundancy Attacks 

In the case of Khazad, we have shown that re-using the round function inside 
the key scheduling has surprising effects. More generally, when a block cipher E 
uses in its key scheduling the same basic components as in the round function, 
a general problem is to consider the encryption of a chosen plaintext 

Plain = <&(Kq) 

for a well chosen function <Z> of the first round key Kq. More precisely, one should 
investigate if a cascade elimination cannot occur and yield a predictable value 
of Ek (P lain), or even a simple function of a subkey. For instance, if 

E K (Plain) = <E(Ki) 

for some i and some function 'P, one may recover K t from the guess of Kq with 
time and data complexity roughly equivalent to the size of the subkeys. If, in 
addition, the full secret key can be reconstructed from Kq and K t (which is 
sometimes the case for key scheduling based on Feistel networks) , this can lead 
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to an attack. This threat mostly concerns “small” block ciphers (like Khazad), 
where the round subkeys are smaller than the secret key. 

In addition, an improvement would be to guess only a part of the first subkey, 
to obtain partially known intermediate values, in the case of SPN block ciphers 
that do not achieve full diffusion. This is the case of Anubis or Rijndael, though 
we did not manage to obtain any such observation against those. Furthermore, 
the existence of improved cascade eliminations on Khazad should also be further 
analyzed. More generally, using a key scheduling that is not too similar to the 
round function is probably a more reasonable thing. 

5.2 Combining Integral and Interpolation Attacks 

This idea of combining integral attacks with attacks based on the algebraic prop- 
erties of a block cipher was originally introduced in [10]. However, no successful 
application has been reported since then. Our improved integral attack against 
Khazad is apparently the first successful combination of these two cryptanalytic 
techniques, although we also use additional properties of Khazad here. 

The problem is that integral attacks generally end up providing some infor- 
mation concerning a balanced set of intermediate values. This type of property 
does not pass well across S-box layers, while the diffusion layers very quickly 
increase the number of monomials. Thus it is generally difficult to write simple 
algebraic relations, even after guessing some subkey bits as we did for Khazad. 
An other specific problem is that only algebraic relations where intermediate 
values are expressed as a function of subkey and ciphertext bits are generally 
useful for interpolation attacks. For instance, low degree algebraic relations from 
the inversion in GF( 2 8 ) cannot be used, at least in a straightforward manner. In 
spite of these problems, we believe such attacks combining different cryptanalytic 
techniques may be of interest in the future. 


5.3 Other Algebraic Approaches 

In Section 3.3, we obtained a large multivariate, non linear system over GF(2). 
We used the relinearization technique [15], that means replacing all monomials 
(which happen to be present in reduced number here) by new unknowns and 
apply usual linear algebra techniques. This technique is not the best method 
known to solve nonlinear multivariate systems. However, it turns out to be suf- 
ficient and quite successful since we can obtain simple conditions on subkey bits 
by reducing the underlying matrix. In fact, we do not even need to solve this 
system, to finish with. 

In a very generic way, what we obtain, for each guess of Kq, is a system 
of low degree involving a few unknown subkey bits. We need either to solve 
this system, or to detect quickly if it has some solutions. Our attack uses the 
second strategy, and requires one application of the gauss algorithm on a 2 11 
bits square matrix. In the light of recent progress ([7], [16]), better techniques 
to directly solve the system could be considered. However, it seems unlikely the 
time complexity could be pushed below the length of the outside loop, namely 



A New Attack against Khazad 357 


2 64 . Thus any complexity gain would probably be limited. However, it would be 
interesting to find if a similar simple system over more than 2.5 rounds could be 
derived. 


5.4 Exposure of Round Keys 

It results from the previous observations that the security of 5 rounds of Khazad 
depends only on the secrecy of the first subkey. Indeed the complexity of our 
attack is quite high, especially the data complexity, however this is mostly due 
to the cost of guessing the first subkey Kq. 

If, somehow, the first round subkey is exposed, then 5 rounds reduced Khazad 
becomes insecure. In this case, the complete secret key can be recovered by 
applying a few times the attack of Section 4, which has complexity of only 2 28 
S-box lookups and 256 chosen plaintexts when Kq is known. We consider this 
property is quite undesirable. Indeed, information about the first round subkey 
may be obtained by other means than exhaustive search. For instance, side 
channel attack techniques may provide this kind of information. 


6 Conclusion 

We have proposed a new attack against the block cipher Khazad. This cipher is 
very interesting, because it constitutes a reduced and simplified version of Rijn- 
dael, so its analysis is very helpful in understanding the security of word-oriented 
SPN block ciphers, which are now largely used since the standardization of Ri- 
jndael as the AES. In particular, the new class of integral (aka Square) attacks 
which are (almost) independent of the S-boxes should be further investigated. 

In this paper, we break 5 rounds of Khazad (against 8 rounds for the full 
cipher) faster than exhaustive search: we use about 2 64 chosen plaintexts and 2 91 
S-box lookups in average. Although the cryptanalytic techniques we exploit are 
not new, we combine them in a new and unexpected way to improve on known 
attacks. A very surprising improvement arises from some redundancies between 
the key scheduling and the round function of Khazad. Whether this attack can 
be improved or extended to 6 rounds remains a topic for further research. 
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Abstract. We propose a new public key trace and revoke scheme secure 
against adaptive chosen ciphertext attack. Our scheme is more efficient 
than the DF scheme suggested by Y. Dodis and N. Fazio[9]. Our scheme 
reduces the length of enabling block of the DF scheme by (about) half. 
Additionally, the computational overhead of the user is lower than that 
of the DF scheme; instead, the computational overhead of the server is 
increased. The total computational overhead of the user and the server 
is the same as that of the DF scheme, and therefore, our scheme is more 
practical, since the computing power of the user is weaker than that of 
the server in many applications. In addition, our scheme is secure against 
adaptive chosen ciphertext attack under only the decision Diffie-Hellman 
(DDH) assumption and the collision-resistant hash function H assump- 
tion, whereas the DF scheme also needs the one-time MAC (message 
authentication code) assumption. 


1 Introduction 

A broadcast encryption scheme enables a center to send encrypted data to a 
large group of users over an insecure channel, where only legitimate users can 
decrypt the data. The set of legitimate users is dynamically changing, so it 
should be possible to prevent some revoked users from decrypting the data. 
The broadcast encryption scheme has numerous applications, such as pay-TV 
systems, the distribution of copyrighted materials, internet multicasting of video, 
music, magazines, and so on. 

A. Fiat and M. Naor first formalized the basic definitions and paradigms 
of the broadcast encryption scheme [11]. Afterwards, many variants have been 
investigated. One example is the scheme of tracing traitors [6]. In this setting, 
the center can trace the traitors after a pirate decoder is confiscated. There are 
two types of approaches to the traitor-tracing scheme. One is a scheme that 
uses a secret key and coding approach [4,6,12,16,17,18,19] and the other uses a 
public key [3,14]. In the secret key scheme, the keys in the pirate decoder can 
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be identified by combinatorial methods. In the public key approach, the size 
of the enabling block is independent of the number of subscribers. In addition, 
the public key traitor tracing schemes enable the center to prepare a public key 
that allows any entity to broadcast data to users. There is another variant of 
broadcast encryption, the revoke system, which concentrates on the problem of 
excluding a certain subset of users from receiving the data in a dynamically 
changing set of users. There are many revoke systems that use the secret key 
setting. These schemes are also divided into two categories. One is for stateless 
receivers [15,13,2] and the other is for non-stateless receivers [21,22]. 

Recently, a public key traitor-tracing scheme with the revocation capability 
was introduced by W. Tzeng and Z. Tzeng [20]. They also proposed a vari- 
ant of their basic scheme to be secure against adaptive chosen ciphertext attack 
(CCA2). However, Dodis and Fazio noted that W. Tzeng and Z. Tzeng’s scheme 
was not secure against CCA2 even if a single user is corrupted [9]. Dodis and 
Fazio also proposed their own scheme secure against CCA2 under the decision 
Diffie-Hellman (DDH) assimption, the collision-resistant hash function H as- 
sumption, and the one-time MAC assumption [9]. 


Our Results. We propose a new public key trace and revoke scheme secure 
against CCA2. Our scheme does not use the additional one-time MAC, so its 
security does not depend on the one-time MAC assumption. The length of the 
enabling block of our scheme is about half that of the DF scheme. Additionally, 
the computational overhead of the user is lower than that of the DF scheme 
instead the computational overhead of the server is increased. The total com- 
putational overhead of the user and the server is the same as that of the DF 
scheme. (We only consider the computation of exponentiation computed by the 
server and the user. If we did the analysis more precisely, our scheme is more 
efficient than the DF scheme because it does not require computational overhead 
for the MAC). Our scheme is more practical, since the computing power of the 
user is weaker than that of the server in many applications. 

By slightly modifying standard tracing algorithms from previous schemes 
(e.g. [20]), our scheme can be a fully functional trace and revoke scheme. How- 
ever, due to space limitations we will omit the tracing part and focus only on 
the revoke scheme, which is the original contribution of this paper. 


2 Preliminaries 

In this section, we review the Lagrange interpolation in the exponent, the de- 
cision Diffie-Hellman (DDH) assumption, and public key encryption schemes 
secure against CCA2. 


The Lagrange Interpolation in the Exponent. Let q be a prime and 
f( x ) = J2t=o a t x t a polynomial of degree 2 over Z q . Let xq, .... x z be distinct 
elements in Z q . Then using the Lagrange interpolation, we can express fix) 
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as Et=o(/Ot) • A i(®))> where M x ) = rw<z fpsT o < t < z. We de- 
fine the Lagrange interpolation operator as: LI(x o, . . . ,x; z : f(x o), . . . , f(x z ))(x) 

= Et= 0 (/(**) • A <(*)) • 

Next, we consider a cyclic group G of order q and a generator g of G. Let v t 
= g^ Xt \ 0 < t < z, where x t G Z q and v t G G. Then we define the Lagrange 
interpolation operator in the exponent as: EXP—LI(xo, ,x z .vo, , v z )(x) = 
gLi(xo,...,x z -j(xo),-,f(x z )) _ \ We also remark that 

EXP - LI{x o, . . . , vj, . . . , v r z )(x) = [EXP - LI(x 0 , . . . , x z ; v 0 , . . . , ^)(a:)] r - 
In what follows, we will refer to a function of the form g^ x \ where f(x) is 
polynomial, as an EXP- polynomial. 


The Decision Diffie- Heilman Assumption. Let G be a group of large prime 
order q, and consider the following two distributions: 

— the distribution R of random quadruples (gi, <72, «i, W2) € G 4 , 

— the distribution D of quadruples {gi,g2,ui,U2) € G 4 , where <71, 52 are ran- 
dom, and u\ = g\ and U2 = g% for random r G Z q . 

The decision Difhe-Hellman (DDH) assumption is that it is computationally 
hard to distinguish these two distributions. That is, we consider an algorithm 
that should output 0 or 1, given a quadruple coming from one of the two distri- 
butions. Then the difference between the probability that it outputs a 1 given 
an input from R, and the probability that it outputs a 1 given an input from D 
is negligible. 

Our scheme is based on the modified Cramer-Shoup (M-CS) scheme [5] and 
the DF scheme is based on the Cramer-Shoup (CS) scheme [7]. The M-CS scheme 
is a variant of the CS scheme. We briefly review these schemes. 


The Cramer-Shoup Scheme. Given a security parameter 1 A , the secret key 
is (xi,X2,yi,V2, z) and the public key is ( p , q, gi,g2,c,d,h,H), where p is a A-bit 
prime, gi,g2 are generators of G( a subgroup of Z* of a large prime order q), 
function H is a hash function chosen from a collision-resistant hash function 
family, x\,x 2 , yi,y 2 , z <- Z q , c = g^g^ 2 , d = gf^gf, and h = g{ . 

Given a message m G G, the encryption algorithm runs as follows. First, it 
chooses r Z q and computes u\ = <?[, u 2 = g 2 ,e = h r m,a = H(ui,u 2 ,e),v = 
c r d ra . The ciphertext is (ui,u 2 ,e,v). Given a ciphertext, the decryption algo- 
rithm runs as follows. First, it computes v' = u’ l 1+Via -'U2 2+V2a . Next, it performs 
a validity check. If v ± v', then it outputs an error message, denoted ‘_L’; oth- 
erwise, it outputs m = ^z. The security of this scheme against CCA2 is proven, 
based on DDH assumption, in [7] . 


The Modified Cramer-Shoup Scheme. R. Canetti and S. Goldwasser 
slightly modified the above CS scheme as follows, without losing in security 
[5]. If the decryption algorithm finds v ^ v r , instead of outputting ‘_L’ it outputs 
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a random value in G. In a sense, the modified scheme is even “more secure” since 
the adversary is not notified by the decryption algorithm whether a ciphertext 
is valid. 

Now that the decryption algorithm does not explicitly check validity, given 
(ui,U 2 ,e,v) it outputs (-%) • ( ^ ) * instead, where t/is computed as in the CS 

scheme and s Z q . Note that the decryption algorithm is now randomized. To 
see the validity of this modification, notice that if v = v' then (^-}f=l for all 
s, and the correct value is outputted. If v ^ v', then the decryption algorithm 
outputs a uniformly distributed value in G, independent of to. The security of 
M-CS scheme against CCA2 is proven, based on the DDH assumption, in [5]. 

3 Public Key Broadcast Encryption Scheme 

We use the definition in [9]. In a public key broadcast encryption scheme BE, 
a session key s is encrypted and broadcasted with the symmetric encryption of 
the “actual” message. Generally, the encryption of s is called the enabling block. 

3.1 Public Key Broadcast Encryption Scheme 

A public key broadcast encryption scheme BE consists of a 4-tuple of poly-time 
algorithms (KeyGen, Reg, Enc, Dec): 

— KeyGen, the key generation algorithm, is a probabilistic algorithm used by 
the center to set up all the parameters of the scheme. KeyGen takes as input a 
security parameter 1 A and a revocation threshold z (i.e. the maximum number 
of users that can be revoked) and generates the public key PK and the master 
secret key SK B e- 

— Reg, the registration algorithm, is a probabilistic algorithm used by the center 
to compute the secret initialization data needed to construct a new decoder each 
time a new user subscribes to the system. Reg receives as input the master secret 
key SKbe and a (new) index i associated with the user; it returns the user’s 
secret key SKi. 

— Enc, the encryption algorithm, is a probabilistic algorithm used to encapsulate 
a given session key s within an enabling block T. Enc takes as input the public 
key PK, the session key s, and a set R of revoked users (with \R\ < z ) and 
returns the enabling block T. 

— Dec, the decryption algorithm, is a deterministic algorithm that takes as input 
the secret key SKi of user i and the enabling block T and returns the session 
key s that was encapsulated within T if i was a legitimate user when T was 
constructed, or the special symbol “T ”. 

3.2 Security against Adaptive Chosen Ciphertext Attack 

An adversary A in an adaptive chosen ciphertext attack (CCA2) is a proba- 
bilistic, poly-time oracle query machine. The attack game is defined in terms 
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of an interactive computation between the adversary and its environment. We 
describe the attack game used to define the security against CCA2; that is, we 
define the environment in which A runs. We assume that the input to A is 1 A 
for some A. 

Stage 1: The adversary queries a key generation oracle. The key generation 
oracle computes (PK, SKbe)<~ BE.KeyGenfl a , z) and responds with PK. 

Stage 2: The adversary enters the user corruption stage, where she is given ora- 
cle access to the User Corruption Oracle CorsK BE {-)- This oracle receives as in- 
put the index i of the user to be corrupted, computes SK t BE.Regf.S7t i) 
and returns the user’s secret key SKi. This oracle can be called adaptively for 
at most 2 times. Let us say that at the end of this stage the set R of at most z 
users is corrupted. 

Stage 3: The adversary submits two session keys So, gii to an encryption or- 
acle. On input So, Si, the encryption oracle computes: a -e- {0,1}; T* <— 
BE.Enc(77C s a , R ) and responds with the “target” enabling block T*. 

Stage 4: The adversary continues to make calls to the decryption oracle, subject 
only to the restriction that a submitted enabling block T is not identical to T* . 

Stage 5: The adversary outputs a* e (0, 1}. 

We define the advantage of A as Ad,'iff[f A ^(X) = |Pr(«r* = a) — || 

We consider a variant of the CCA2, generalized chosen ciphertext attack 
(gCCA2) [1,9]. The attack game of gCCA2 is the same as that of CCA2 ex- 
cept Stage 4. In the attack game of gCCA2, the adversary cannot ask about 
enabling blocks closely related to the “target” enabling block. That is, in Stage 
4, the decryption oracle first checks whether equivalence relation Ri(T, T *) holds. 
If so, it outputs “ J.” . 

Definition 1 (z-resilience of a public key broadcast encryption scheme) 

We say that a public key broadcast encryption scheme BE is z-resilient against 
CCA2 attack if for all probabilistic, poly-time oracle query machines A, the func- 
tion AdvBE^(X) grows negligibly in A . 

4 The DF Schemes 

Y. Dodis and N. Fazio proposed three broadcast encryption schemes (we call 
them DF-CPA, DF-grCCA, DF-CCA2 ) that achieve ^-resilience in an adap- 
tive setting for the case of CPA (chosen plaintext attack), gCCA2, and CCA2, 
respectively. Subsequent schemes build on the previous one in an incremental 
manner. Therefore, the DF-CPA scheme is more efficient than the DF-<?CCA2 
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Encryption algorithm Enc(PK, s, R) 

Decryption algorithm Dec( 2 ,T) 

E-l. ri <-»■ Z q 

E 2 .U!<r- gl 1 

E 3 . u 2 <- 9” 1 

E 4 . H t <-h r t \(t = 0,..,z) 

E 5 . H jt +- EXP-LI(0,..,z;H 0 ,..,H z )(j t ) 

(/ Vi,..;) 

Eg. S <— S ■ Ho 

E 7 . a H(S, U1 ,u 2 , Uz,H jz )) 

Eg. v t ^c r t 1 d r t ia ,(t = 0,..,z) 

Eg. T S,u 1 ,U 2 ,(ji,H jl ),..,(j z ,H jz ), 

VO,-,V z > 

El . a <- H{S, m , ug , (ji , H jx ) , . . , (j z , Hj z ) ) 

£) 2 ^ _ u X 1 {,)-Y 1 (,) n u X 2 (t) + Y 2 (i) a 

D 3 . vl <r- EXP-LI (0,.., 2 ; vo,.., v z )(i) 

D 4 . if Vi =Vi 

D 5 . then Ht 4- uf l(<) • u% 2(i) 

d 6- s<r- EXP _ LI tf i , t „ tjz ' i . H . i , Hi )(0) 

D 7 . return s 

Ds- else return _L 


Fig. 1. DF-<?CCA2 

scheme and DF-^CCA2 scheme is more efficient than the DF-CCA2 scheme in 
the length of the enabling block and the computational overhead. In the next 
section, we define DF-gCCA2 and DF-CCA2. For a more detailed description, 
see [9]. 


4.1 DF-gCCA2 

Key generation algorithm: KeyGen selects two random generators gi,g 2 € 
G, where G is a group of order q, in which q is a large prime such that 2 q = p— 1, 
and p is a large prime. KeyGen selects six ^-degree polynomials Ad (£), 
yi(£)> y 2(0> ^i(0> -^2(0 over Z q , and computes c t = gf l(t) ■ g 2 2(t) , d t = 
■ g 2 2 ^\ ht = gf 1 ^ ■ for 0 < t < z. Finally, KeyGen chooses a hash 

function H from a family of T of collision resistant hash functions, and outputs 
(. PK , SK B e ), where PK = ( p , q,gi,g 2 , Co, ■ ■ ■ , c z , do, ■ ■ ■ , d z , ho, ■ ■ ■ , h z ,H) and 
SK B e = (X 1 ,X2,Y 1 ,Y2,Z 1 ,Z 2 ). 

Registration algorithm: Each time a new user i > z decides to subscribe to 
the system, the center provides him with a decoder box containing the secret 
key SKi = (i,X 1 (i),X2(i),Y 1 (i),Y 2 (i),2 1 H%Z 2 (i)). 

Encryption algorithm: Using the ides of the CS scheme [7,8], in order to 
obtain a non-malleable ciphertext, they “tag” each encrypted message so that it 
can be verified before proceeding with the actual decryption. In the broadcast 
encryption scenario, where each user has a different decryption key, the tag 
cannot be a single point - they need to distribute an entire EXP-polynomial 
V(x). This is accomplished by appending z+1 tags, vq ..... v z , to the ciphertext. 

The encryption algorithm receives as input the public key PK, the session 
key s, and a set R = { j\ , . . . ,j z } of revoked users. It proceeds as described in 
Fig. 1, and finally it outputs T. 

Decryption algorithm: To recover the session key, a legitimate user i can 
proceed as in Fig. 1. He computes the tag Fj using his private key and then 
verifies the validity of the ciphertext by checking the interpolation of the z+1 
values in point i against its Vi (Step D 2 , D 3 , and D 4 ). If % is a revoked user, 
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the algorithm fails in Step D 6 , since the interpolation points j\, ■ ■ ■ ,j z ,i are not 
pairwise distinct. 

Security: The adversary can make the ciphertext malleable because of the use 
of an EX P-polynomial V(x). Since each user i can verify the value of V (x) in 
only one point, the adversary can modify Vo,---,v z and construct a different 
EX P-polynomial V'(x) such that V'(x = Xi)=V(xi), thus fooling user i to 
accept as valid a corrupted ciphertext. To prevent this, a family of equivalence 
relations {Ri} is introduced. Two ciphertext T and T' are equivalent for user 
i if they have the same “data” components, and the tag “relevant to user i” 
is correctly verified, i.e. Vi = v\ (even though other ’’irrelevant” tags could 
be different) [9]. By using this equivalent relation, DF-</CCA2 is secure against 
gfCCA2. In Stage 4 of the attack game, the adversary cannot ask T which is 
equivalently related to the “target” T* . 

4.2 DF-CCA2 

In Section 4.1, we saw that the DF-gCCA2 scheme does not provide a complete 
solution to the CCA2 problem, but only suffices for gGGA2 security. Indeed, 
given a challenge T* with tag sequence no, • • • , v z , it is trivial to make a different 
sequence v' 0 , ■ ■ ■ ,v' z such that n, = resulting in a “different” enabling block 
T ^ T *: however, Dec(i, T*)=Dec(i, T), allowing the adversary to “break” 
CCA2 security. 

To achieve CCA2 security Dodis and Fazio used a trick to make the tag 
sequence no, • • • , v z non-malleable. To this end, they used a message authentica- 
tion code (MAC). The key generation algorithm and the registration algorithm 
are the same as those of DF-r/CCA2. The encryption and decryption algorithm 
are shown in Fig. 2. The encryption algorithm operates similarly to the gCCA2 
encryption algorithm, but the main difference is that now a MAC key k is used 
to MAC the tag sequence no, • • • , v z , and is encapsulated within T along with 
the session key s. 

If the DDH problem is hard in G, H is chosen from a collision-resistant hash 
function family J-, and MAC is a one-time message authentication code, then 
the DF-CCA2 scheme is ^-resilient against CCA2[9]. 

5 Proposed Scheme 

In this section, we propose a new public key trace and revoke scheme secure 
against CCA2. Our scheme does not use the additional one-time MAC, so its se- 
curity does not depend on the one-time MAC. The length of the enabling block of 
our scheme is about half that of the DF-CCA2 (DF-pCCA2) scheme. Addition- 
ally, the computational overhead of the user is lower than that of the DF-CCA2 
(DF-gCCA2) scheme. Instead, the computational overhead of the server is in- 
creased, but the total computational overhead of the user and the server is the 
same as that of the DF-CCA2 (DF-gCCA2) scheme. We only consider the com- 
putation of exponentiation computed by the server and user. Our scheme is more 
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Encryption algorithm Enc (Plf, s, R ) 

Decryption algorithm Dec (i, T) 

Ei.ri <- r Z q 

E 2 .U 1 1 

E 3 .U 2 <- gP 

E±.H t <r- /q 1 , (t = 0,.., z) 

E 5 .H jt «- EXP-LI(0,..,z-,H 0 ,..,H z )(j t ) 

(t = 1>.,2) 

E 6 .k <^ r K 

E 7 .S ^ {s\\k) ■ H 0 

Es.a <- H(S, U 1 ,U 2 , (it, (j z ,H jz )) 
Eg.vt «- cPdP 01 , ( t = 0,.., z) 

E 10 .t<- MAC k (v o,..v z ) 

En -T *-< 5. , n 2 , (j, , H h [j z , U 3x ) % 

V0,.;V Z ,T > 

Di. a <— H(S, U 1 ,U 2 , Hj , ),.., (jz, H jz )) 

D 2 . y. <_ Xi(i)+Vi(i)a u X 2 (i)+Y 2 (i)a 

D 3 . Vi <T- EXP-LI(0,..,z-,vl,..,v z ){i) 

D 4 . if Vi = vt 

D$. then Ht <— 

L> 6 . e\\k<- EX p-LlU 1 ,.., jz ,i-,H Jl ,..,H jz ,H i )m 

D 7 . extract s and k from (s||fc) 

D 8 . if r / 

Dg. then return _L 

Dio- else return s 

Du. else return _L 


Fig. 2. DF-CCA2 

efficient precisely because it does not require the computational overhead for the 
MAC but the DF-CCA2 scheme does. Our scheme is more practical, since the 
computing power of the user is weaker than the server in many applications. 

Main Idea: In the DF-CCA2 scheme, given the enabling block T <—< S, U\ , u 2 , 
(jijHji), ■ ■ -, (j z . Hj z ), vo, . . ., v z , t) >, to check the validity of T user i con- 
structs V(x) using vo,. .. ,v z and checks whether V{x = i) = %. He also checks 
the validity of vq, ■ ■ ■ , v z by use of the MAC value r. Our idea starts from the 
problem of the DF-</CCA2 scheme. In the DF-gCCA2 scheme, the decryption or- 
acle cannot distinguish V'(x) such that V'(i) = V(i), but v' 0 , ■ ■ ■ , v' z ^ vo, - ■ ■ ,v z . 
The DF-CCA2 scheme solves this problem by the use of the MAC. 

We make the enabling block T <—< S, u x ,u 2 ,c r d ra ,v x , . . . ,v z >. Given T, 
user i computes V (x) using v\,- ■ ■ ,v z and his secret share v t . Then he checks the 
validity of T using c r d ra and V (x = 0). The adversary cannot compute V(x = 0), 
since he knows only 2 shares of the degree - z polynomial V (x). Therefore, the 
adversary cannot cheat the decryption oracle. 

Key generation algorithm: KeyGen selects two random generators gi,g 2 G 
G, where G is a group of order q in which, q is a large prime such that 2 q = p— 1, 
and p is a large prime. It selects x x , x 2 ,y x , y 2 G Z q and 2-degree polynomials 
Ai(0, Aa(f), MO over such that A', (0) = x u X 2 (0) = x 2 , Yi(0) = ?/,. 

F 2 (0) = U 2 - It also selects 2-degree polynomials Z\{£), Z 2 (0 over £ and computes 

c = g'OgT , d = fli 1 5-f 2 ■ Then, it computes h t = gf'^gf 2 ^, 0 < t < z and 
XHt) X 2 (t) Yi(t) Y 2 (t) n , , , 

xi, t = g x , x 2 , t = g 2 , yi,t = g x , y%t = g 2 , 0 < t < z . 

Finally, KeyGen chooses a hash function H from a family T of collision 
resistant hash functions, and outputs (PK, SK B e), where PK = (p, q, g\,g 2 , 
c, d, xi )0 , • ■ x ljZ , x 2 ,o, ■ ■ ■, x 2 . z , 2/i,o,- • •, Vi,z, 2/2, o,- • •, 2/2, z, h 0 , ■ ■ ■, h z , H) and 
SK be = (X 1 ,X 2 ,Y 1 ,Y 2 ,Z 1 ,Z 2 ). 

Registration algorithm: Each time a new user i > z decides to subscribe to 
the system, the center provides him with a decoder box containing the secret 
key SKi = (i,X 1 (i),X 2 (i),Y 1 (i),Y 2 (i),Z 1 (i),Z 2 (i)). 
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Encryption algorithm Enc (PR, s, R ) 

Decryption algorithm Dec(i, T) 

Pi. n <- r 

E 2 . ui <- gl 1 

E 3 . u 2 <^g? 

E 4 . = 

E 5 . H jt <r- EXP-LT(0,..,z-Ho,..,H z )(j t ) 
(t = l,..,z) 

E 6 . S <^s-H 0 

E 7 . a <— H(S, ui,u 2 ) 

E 8 . C t <- (xi,tx 2 ,t) ri {yi,tV 2 ,t) ria 
(t = 0 ,..,«) 

Eg. C h EXP-LI(0,..,z;Co,..,C z )(j t ), 
(t = l,..,z) 

E W .C •*— c ri d ria 

En.F jt = H jt 0$(t = 1,.., z) 

E l2 .T^< S,ui!u 2 ,c ri d ria , 

Ui,F jl ),..,(jz,Fj z }> 

Di. a <— H(S,u i,u 2 ) 

Ci <- U x i(<)+Vi«)« . u x 2 (i)+y 2 (<) c 

D 3 . Hi tif l(<) • «2 2W 

D 5 ’ S ‘ f ~" EXP-LRn .FiXO) 


Fig. 3. Our Proposed scheme. 

Encryption algorithm: Our scheme is based on the idea of M-CS [5]. The 
encryption algorithm receives as input the public key PK, the session key s, 
and a set R = {j i, • • • ,j z } of revoked users. It proceeds as described in Fig. 3, 
and finally it outputs T. Enc computes and distributes Fj t , 1 < t < z. We can 
think that Fj t = gf^ 1 ' where Q(£) is ^-degree polynomial in Z q . Therefore, the 
adversary who only knows 2 shares of Fj t cannot cheat the decryption oracle. 
Decryption algorithm: To recover the session key, a legitimate user i can 
proceed as in Fig. 3. A legitimate user can compute s in Step D 5 , but the revoked 
user fails, since the interpolation of ji, ■ ■ ■ ,j z ,i are not pairwise distinct. 

We here verify that the output of the decryption algorithm is identical to the 
session key s if the user i is a legitimate user. We can rewrite Fj computed from 
Step D 4 as follows (let g -2 = gf): 



Consequently, Fi=g 4 ^ where Q(£) is ^-degree polynomial in Z q . If we com- 
pute Fq using the Lagrange interpolation in the exponent as in Step Zfy, we can 
obtain the following value: 


F 0 =EXP - LI(ji , • • • , U, r, F h , . . . , F jz , Ft) (0) 

_(r 1 z 1 +wriZ2)-rix 1 -riyioc-wr 1 X2-wriy2a+(rix 1 +wr 1 X2+riyia+wr 1 y 2 a) 

—9 i 

TT C r ld r l a 

—LLo — c — 

=H 0 
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Therefore, f ^ = a. 

Security: 

Theorem 1 If the DDH problem is hard in G and H is chosen from a collision- 
resistant hash function family T , then our scheme is z-resilient against the adap- 
tive chosen ciphertext attack. 

Proof. Our overall strategy for the proof follows the structural approach in [8]. 
We shall define a sequence G 0 ,Gi, . . . , Gi of modified attack games. Each of 
the games G 0 ,Gi, . . . , Gi operates on the same underlying probability space. 
In particular, the public key cryptosystem, the coin tosses Coins of A, and the 
hidden bit a take on identical values across all games, while some of the rules 
that define how the environment responds to oracle queries may differ from game 
to game. For any 1 < i < l, we let T, be the event that cr = a* in the game 
Gi. Our strategy is to show that for 1 < i < l, the quantity \Pr\Ti_-f\ — Pr[Tj\\ 
is negligible. In addition, it will be evident from the definition of game Gi that 
Pr[Ti] = |, which will imply that |Pr[T 0 ] — || is negligible. 

Before continuing, we state the following simple but useful lemma in [8] . 

Lemma 1 Let Ui,U2, and F be the events defined on some probability space. 
Suppose that the event U\ A ->F occurs if and only if U2 A ->F occurs. Then 
|Pr[f/i] - Pr[U 2 ]\ < Pr[F]. 

Game G 0 : Let G 0 be the original attack game, let cr* e {0, 1} denote the output 
of A, and let To be the event that a = a* in G 0 , so that AdvQ^l heme A (X) = 
l^[T 0 ]-i|. 

Game Gi: Gi is identical to G 0 , except that in Gi, steps E4 and E s are 
replaced with the following: 

E' a . H t «- uf l(t) • t=0,...,z 

E' 8 . C t <- uf l(t)+Yl(t)a ■ „***>««*>“ t = 0, . . . , * 

The change we have made is purely conceptual, it is just to make explicit 
any functional dependency of the above quantities on u\ and U2- Cleary, it holds 
that Pr[T 0 ] = Pr[Ti]. 

Game G2: We again modify the encryption oracle, replacing steps E\ and P3 
by 

E[. n <-r Zq,r 2 <-r Z q \{r\} 

E' 3 .U2<r- g l 2 

Notice that while in Gi the values U\ and 112 are obtained using the same 
value n, in G2 they are independent subject to n 7^ r-2- Therefore, any difference 
in behavior between Gi and G2 immediately yields a PPT algorithm Ai that is 
able to distinguish DH tuples from totally random tuples with a non negligible 
advantage. That is, |Pr[T 2 ] — Pr[Tj]| < ei for some negligible ei. 

Game G 3 : In this game, we modify the decryption oracle in G 2 to obtain G 3 
as follows: 
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D\. a <— H(S,ui,ii2) 

D' c <- 
£>2-1. if («2 = Uf) 

ZXj. then P; <- u f^+ z ^ w 

D' x . F t <r~ H,§- 

r y „ , 

5 ' * ^ MXP-FXijn, T5Jj®|pF 

Dg. else return T 

At this point, let P 3 be the event that the adversary A submits some de- 
cryption queries that are rejected in Step £>2-1 in G3, but passed in G2- Note 
that if a query passes in £>2-1 in G3, it would have also passed in G2- It is clear 
that G2 and G3 proceed identically until the event P 3 occurs. In particular, the 
event T2 A — 1 /?3 and T 3 A — 1 J?3 are identical. Therefore, by Lemma 1, we have 

|Pr[T 3 ] - Pr[T 2 ]| < Pr[R 3 ] 

and so it suffices to bound Pr[P 3 ]. To do this we consider two more games, G4 
and G5 

Game G4: This game is identical to G 3 , except for a change in Step E 6 as 
follows: 


E' 6 .e t- r Z q ,S <- gf 

It is clear by construction that Pr[T 4 j = since in G4, the variable a is 
never used at all, and so the adversary’s output is independent of a. 

Let Ra be the event that some decryption queries that would have passed in 
G 2 , fail to pass in Step £>2-1 in G4. Then we have the following facts. 

Lemma 2 Prpy = Pr[T 3 ] and Pr[P4] = Pr[P 3 ] . 

The proof of Lemma 2 is shown in the Appendix 
Game G 5 : This game is identical to G4, except for the following modification. In 
the decryption algorithm, we add the following special rejection rule, to prevent 
A from submitting an illegal enabling block to the decryption oracle once she 
has received her challenge T*. 

Special rejection rule: After the adversary A receives the challenge T* = ( S * , u\ , 
«2, ( c r d ra )*, (jjf, F*), . . . , (j*, F? )), the decryption oracle rejects any query < 
i,T >, with T = (S,ui,U2, ( c r d ra ), (ji,F 3l ), • • • , ( jz,Fj z )), such that (S*, u*, W2) 
7^ (S, U\ , U‘2 ) , but a = a*, and it does so before executing the test in Step £>2-1- 

To analyze this game, we define two events. Let C5 be the event that the 
adversary A submits a decryption query that is rejected using the above special 
rejection rule, and P5 the event that the adversary A submits some decryption 
query that would have passed in G 2 , but fails to pass in Step £>2-1 in G 5 . Now it 
is clear that G4 and G 5 proceed identically until event C5 occurs. In particular, 
the event P4 A ~<C 3 and P5 A -1C5 are identical. Therefore, by Lemma 1, we have 


|Pr[P5]-£r[P 4 ]|<Pr[C 5 ] 
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Now, if event C5 occurs with non-negligible probability, we can construct 
a PPT algorithm A2 that breaks the collision resistance assumption with non- 
negligible probability. So, |Pr[Cg]| < £2 for some negligible £2- 

Finally, we show that event R 5 occurs with negligible probability. 


Lemma 3 Pr[R 5 ] < 

Where, Qa (A) is an upper bound on the number of decryption queries made 
by the adversary A. The proof of Lemma 3 is shown in the Appendix. 

Finally, combining the intermediate results, we conclude that the adversary 
A’s advantage is negligible: 




QA A) 
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Appendix 

To prove Lemma 2 and Lemma 3, the following lemma is useful. The proof of 
Lemma 4 is shown in [8]. Our proofs follow the structural approach in [8,10]. 
Therefore, they are similar to that of [10] except for some variables and notations. 
Lemma 4 Let k, n he integers with 1 < k < n, and let K be a finite field. 
Consider a probability space with random variables a £ K n ^ f /3=(/?i, . . . ,3k) T 
£ K kxl , 7 £ K kysX , and M £ K kxn , such that a is uniformly distributed over 
K nxl , (3=Ma+'y, and fori <i<k, the i th rows of M and 7 are determined 
by 3y if 

Then conditioning on any fixed values of (3 1, . . . ,3k - 1 such that the resulting 
matrix M has rank k, the value of 3k is uniformly distributed over K in the 
resulting conditional probability space. 

In what follows, we define: 

Coins: the coin tosses of A; X t = Xi(t) + wX 2 {t),Y t = Yi(f) + wY 2 (t),Z t = 
Zi(t) + wZ 2 (t),t = 0, ... ,z; 
w = log gi g 2 

Proof of Lemma 2 

Lemma 2. Pr[T 4 ] = Pr[T 3 ] and Pr[P 4 ] = Pr[R?f\. 

Proof. Consider the quantity X := {Coins, H, w, Xi(0), . . ., Xi (z), X 2 (0), . . ., 
X 2 (z), Fi(0), . . , Yi (z) , Y 2 (0), . . , Y 2 (z), Z u . . ., Z x , o, r\, r|) and the quantity 
Z 0 . Note that X and Z 0 take on the same values in G 3 and G4. Consider also 
the quantity e*=log 9l S* . This quantity takes on different values in G 3 and G 4 . 
For clarity, let us denote these values as [e*] 3 and [e*] 4 , respectively. 

It is clear by inspection that the events P 3 and T 3 are determined as functions 
of X, Zo, and [e*] 3 . Also, the events P 4 and T 4 are determined as functions 
of X, Zq and [e*] 4 . Therefore to prove Lemma 2, it suffices to show that the 
distributions of {X, Zo, [e*] 3 ) and {X, Zo, [e*] 4 ) are identical. Observe that by 
the construction, conditioning on any fixed values of X and Z 0 , the distribution 
of [e*] 4 is uniform over Z q . Therefore, it will suffice to show that conditioning 
on any fixed values of X and Zq, the distribution of [e*] 3 is uniform over Z q . 
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We have the following equation: 



M 


where det (M)=w[r% — r*) ^ 0 since r| ^ r*. 

Conditioning only on a fixed value of X, the matrix M is fixed, but the 
values (0) and Z 2 ( 0) are still uniformly and independently distributed over 
Z q . If we further condition on a fixed value of Z 0 , the value of s a is fixed; hence, 
by Lemma 4, the distribution of [e *]3 is uniform over Z q . □ 

Proof of Lemma 3 
Lemma 3. Pr[R 5 ] < SMB. 

Proof. For 1 < j < Qa(Bi we define the following events; 

— B^p : the event that the jtli ciphertext < i,T >, submitted to the decryption 
oracle in G 5 , fails to pass -D 2 - 1 , but would have passed in G 2 , 

— : the event that the jth ciphertext < i,T >, submitted to the decryption 
oracle before A received her challenge, 

— : the event that the jth ciphertext < i.T >, submitted to the decryption 
oracle after A received her challenge. 

If we show that Pr[R^\B^ j) ] < \ and Pr[R ( f ) \B ( / > } < |, then Lemma 3 is 
proved. □ 

Lemma 5 For all 1 < j < Qa( A), we have Pr[R^\B^] < 

Lemma 6 For all 1 < j < Qa( A), we have Pr[R^\B^} < 

Proof of the Lemma 5. Fix 1 < j < Qa(A) an d consider the quantities: 

X := (Coins, H,w,Z 0 ,...,Z z ), X' := (X 0 , . . . , X z , Y 0 , . . . , Y x ) 

These two quantities completely determine the behavior of the adversary up 
to the moment that A performs the encryption query, and in particular, they 
completely determine the event B§ \ Let us call X and X' relevant if the event 
B^ occurs. Hence to prove Lemma 5, it suffice to prove that the probability of 
event R$ \ conditioned on any relevant values of X and X', is less than |. 

The test -D 2-1 fails if and only if u 2 7 ^ uf. Thus if the test in D 2 -\ fails but 
would have passed in G 2 , it must be the case that u 2 ^ uf and c ri d ria =EXP- 
LI(ji , . . . , j z , v. Cj x , . . . ,Cj z ,Cf)( 0). Taking the logs (base (j\), the condition 
u 2 -f uf is equivalent to r 2 ^ r\. If we let (3=log gi c ri d ri0 ‘ and f3=log gi EXP- 
LI(j u .. . ,j z , i: C h ,.. .,C jz ,Ci)( 0), then ^nX^+wrrf^+anY^+aw 
^ 2 X 2 ( 0 ). Notice that /3 can be expressed in terms of (Xi(0),X 2 (0), . . ., X\ (z), 
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X 2 (z), V'i (0). y 2 (()). Y 1 (z),Y 2 (z)) T . Therefore, we can make the following 

equation (for details, see [10]): 



Let us first fix X, which fixes the first 2z+2 rows of the matrix M, but the 
values X 2 (0), . . ., Y 1 (z),Y 2 (z)) are still uniformly distributed over Z q . 

Next fix X' such that X and X' are relevant and rq ^ r 2 . Then the last row 
of the matrix M is fixed. From this, it follows by Lemma 4 that (3 is uniformly 
distributed over Z q , but (3 is fixed, we have Pr[/3 = 0\ = K □ 

Proof of the Lemma 6. Fix 1 < j < Qa(^) and consider the quantities: 

X:= (Coins, H,w,Z 0 ,...,Z z ,rt,rZ,e*), X' := (X 0 , . . . ,X Z ,Y 0 , . . . ,Y Z ,0*). 

where /3* =log gi (c ri d ri0 ‘)* and i> z. The values of X and X ’ completely deter- 
mine the adversary’s entire behavior in Game G- } , in particular, they completely 
determine the event B§ \ Let us call X and X' relevant if the event occurs. 
It will suffice to prove that conditioned on any fixed, relevant values of X and 
X'. the probability that occurs is bounded by 1. As in the proof of Lemma 
5, we have the following equation (for the detail, see [10]): 



Again conditioning on a fixed value of X and X', we have that (3 is uniformly 
distributed over Z q , but (3* is fixed. Therefore, we have Pr[(3* = /3]=|-; □ 
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Abstract. We study two closely related primitives: Broadcast Encryp- 
tion and Key Predistribution Schemes (KPS). Broadcast Encryption 
allows a broadcaster to broadcast an encrypted message so that only 
a designated group of users can decrypt it. KPS allows a designated 
group of users to establish a common key non-interactively. We discover 
a generic method to construct efficient broadcast encryption schemes and 
KPSs naturally from Pseudo-Random Sequence Generators (PRSG) by 
observing that there are general “patterns” to do so. The two currently 
best PRSG-based broadcast encryption schemes such as the “Subset Dif- 
ference” (SD) scheme by Naor Naor and Lotspiech and its refinement, 
the “Layered SD” (LSD) scheme by Halevy and Shamir, are indeed two 
special cases of our method. We demonstrate the power of this generic 
method by giving: (1) A solution to the most challenging variant of KPS: 
the one which supports arbitrary number of users to form a group yet 
secure against any collusion. We obtain a lower bound of the private key 
size at each user for any PRSG-based KPSs in this setting and construct 
a KPS that meets this bound. (2) An evidence that previous PRSG-based 
BE schemes, such as SD and LSD, can be further improved without any 
further assumption using this general method. We construct “Flexible 
SD” and “Flexible LSD” broadcast encryption schemes, which require 
less private key size while still maintain exactly the same broadcast size 
compared to their original SD/LSD schemes. 


1 Introduction 

Our main contribution is a generic method to construct efficients schemes of the 
two following closely related primitives naturally from Pseudo- Random Sequence 
Generators (PRSG). The primitives are: 

Key Predistribution Scheme. Key Predistribution Scheme (KPS) involves 
n users. Each user is given a unique private key. For a group of users P C 
N = |l,...,n}, any users in P should be able to non-interactively compute a 
common key kp using only its private key while other receivers outside P should 
not be able to do so even if they collude. Such a scheme is motivated by the 
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scenario of secure conferences over network. KPS can be viewed as a special case 
of broadcast encryption as we will see below. 

Broadcast Encryption. Broadcast encryption (BE) involves 1 broadcaster 
and n receivers. Each receiver is given a unique private key. The broadcaster 
is given a broadcaster key. The broadcaster wishes to broadcast messages to a 
designated set P C N = {1, ..., n} of receivers. Any receivers in P should be able 
to decrypt the broadcast message using only its private key while other receivers 
outside P should not be able to do so even if they collude. A broadcast encryption 
scheme is sometimes called a Revocation Scheme , where one is interested in a 
subset of non-privileged users or so-called revoked users rather than privileged 
ones hence its name. Such a scheme is motivated largely by pay-TV systems, the 
distribution of copyrighted material. 

Relating 2 Primitives. In BE, a body of message is typical long and should 
be encrypted by a key commonly known to P. We call such a key a message 
encryption key Mek. To share Mek among P the broadcaster produces a header 
Hdr such that given Hdr and a private key of user in P one can obtain Mek. If 
the private keys are generated by KPS, each user in P already has a common 
key before hand thus there is no need of Hdr in this case. In this sense, KPS is 
known as zero-header BE. 

Overview on Previous Works. KPSs were introduced by Blom [5] and for- 
malized by Matsumoto-Imai [20]. Broadcast encryption schemes were first for- 
mally studied by Fiat-Naor [13]. Since then, many variants of the basic problem 
of KPSs and BEs are proposed. The relations of two primitives are also captured 
in many works (see, e.g., [18]). Since a KPS can be viewed as a special case of a 
BE, each variant of KPSs will be a variant of BEs (but not the converse). Keep in 
mind that a KPS is a zero-header BE. Therefore it is enough to describe variants 
of BEs as follows. To name just a few, the scheme might support bounded or un- 
bounded number of privileged users and/or the maximum number of adversarial 
coalition; the privileged subset of users can be fixed, slowly changing, rapidly 
changing; the keys stored by each user can be stateful or stateless (to be up- 
dated or not); it might be possible to trace a traitor who illegally leak its secret 
key in the scenario so-called tracing-traitor ; the scheme might be symmetric- 
key or public-key; and so on. We found that it is convenient to categorize the 
relevant schemes by their approaches as follows. For BEs there are (^combinato- 
rial approaches: schemes using combinatorial design such as [6,23,19,18,17,15,4]; 
and schemes using tree structure such as [25,24,21,16,10,3] and (2)algebraic 
approaches: schemes using secret sharing scheme on the exponent to perform 
ElGamal-like encryption such as [2,22,11,12]. For KPSs almost all of them are 
using combinatorial approaches. Most of the past works for KPSs can be found 
in Kurosawa, et al. [18]. 

The Most Challenging Variant. We study the most challenging variant 
of BE (and KPS) where it supports unbounded number of users in privileged 
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subsets; unbounded number of revoked users allowed to form adversarial coalition 
(adaptively by central adversary); the privileged subset does not depend on the 
history; the private key stored by each user is stateless, i.e., it is fixed from the 
initialization time. This combined variant is arguably the hardest but the most 
desired one especially stateless scenario as argued explicitly first by Naor-Naor- 
Lotspiech [21]. 

The Main Goal and Some Solutions. The main goal towards BE and KPS 
problems is to construct efficient schemes satisfying the above mentioned variant 
where for KPS: the private key size is small, and for BE: both the header size 
and the private key size are small in the function of n, |P|, or r := n — |P|. 
A BE scheme which solves above mentioned variant problem and satisfies good 
efficiency in only one side is trivial. On one side, the private key size is inde- 
pendent of n but the header size is linear in |P|. On the other side, the header 
size is zero but the private key size is exponential in n. Note that the latter is a 
trivial KPS, which is definitely inefficient, however, is considered the best known 
solution for the above mention variant of KPS. As opposed to KPS, there are 
many BE schemes which have efficiency far better than the trivial schemes. One 
solution which is considered a ground work to many consequent works is due 
to Naor-Naor-Lotspiech [21]. It associates each user with the leaf of a balanced 
binary tree yielding a scheme called complete subtree (CS) in which the header 
size is 0(rlog(n/r)) and the private key size is O(logn). 

Major improvement to this idea were the subset difference (SD) method 
in their same paper [21] and its refinement, layered SD method, by Halevi- 
Shamir [16]. Both obtain the header size O(r). While the SD scheme obtains 
the private key size 0(log 2 n), the LSD scheme obtains the private key size 
0(log 1+e n) for small e > 0. More recent improvement due to Asano [3] utilizes 
the master key technique of Chick-Tavares [8] on balanced a-ary tree version 
of CS where a > 2 (instead of binary tree). This scheme obtains the header 
size 0(r(\og a (n/r) + 1)) and the private key size 0(1). These 3 schemes are 
considered the current state of the art for BE in the sense that while SD/LSD 
scheme obtain less header size, utilize a weak computational assumption, obtain 
much less computational cost; Asano’s scheme obtains minimum private key size. 

The basic idea of the schemes above is a mechanism called subset-cover frame- 
work [21]. Such a scheme in this framework varies to one another by (1) an 
underlying collection of subsets of a particular form, and (2) techniques which 
make use of computational assumption to enable the generation of many compu- 
tational unrelated private keys. The improvements of recent works are primarily 
due to sophisticated design of the underlying collection in (1) to shorten the 
header size, and utilization of technique in (2) to shorten the private key size. 

Shortening Private Key Size. Various methods to shorten the private key 
size are depicted in Figure 1. We capture these in 4 types. For simplicity, let 
us consider KPS where N = {1,2,3}. Each user u is supposed to be able to 
compute the common key ks of set S C N where u £ S. In the trivial KPS, 
user u e N just stores {ks : u e S C N} as the private key set. The goal now 
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Fig. 1. Various methods to shorten key size: type 1-4 from left to right. 


is to reduce the number of elements in the private key set (recall that KPS is 
zero- header BE thus we do not worry about reducing header for now). 

A natural way to do so is to let each user keep one master key which can be 
used to derive all common keys that he is supposed to be able to compute. This 
method is shown as type 1 in Figure 1. We denote by A — > B where A c B C N 
a one-way computation which takes as input Au outputs ks, he., one can easily 
compute ks given Au but given ks it is hard to compute Au- Note that this arrow 
notation applies to all types in the figure. Observe that every method in type 

2 in fact also falls into type 1. The good functionality of one-way computation 
of these first 2 types is that: for any different inputs which are intractable to 
compute given one another, one can design a one-way computation such that it 
results in the same output. This functionality give these first 2 types the very 
short private key as one master key: fc{,,} for each user u. 

The master key trick is originally introduced by Akl- Taylor [1] and Chick- 
Tavares [8] and brought to the context of BE first by Asano [3] . This trick uses the 
RSA assumption and falls into type 2. Another elegant trick for mastering key 
is proposed recently by Boneh-Silverberg [7]. Their scheme utilizes multilinear 
forms and assumes the Diflie-Hellman inversion assumption. This trick falls into 
type 1. Now that we have BEs with zero-header and the private key size as 
minimum as possible, so does this mean that we are done? The answer is no. 
The reasons are as follows. For the trick using multilinear form, unfortunately 
there is no known concrete construction of such forms up to date and it is 
believed that it is hard to find ones as argued by the authors themselves. For 
the trick using RSA, it turns out that such a scheme requires a large number of 
primes as 0(2”) which is extremely inefficient both for storing and for generation. 
Note that, however, the trick using RSA works fine for non-zero-header BEs [3]. 
Nonetheless, for the trick using RSA in all cases, a critical disadvantage besides 
the issue of primes is a heavy computation due to the modular exponentiation 
with the exponent being products of many primes without knowing the order. 

Type 3 is implicitly mentioned first in Akl-Taylor [1]. In this type the func- 
tionality of one-way computation as opposed to the first 2 types allows only one 
input per one output. User u just stores kn whenever u G B C N and u £ A 
where A—*B and A appears just before B in the diagram. The method of type 

3 just makes use of any length-preserving one-way functions. A natural way to 
generalize this idea is to use any one-way functions that expand the length of 
inputs such as pseudo-random sequence generator (PRSG) GdQ,d G Z+ which 
d-ples the input, i.e., whose the bit length of the output is d times that of the 
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input so that from one key, d many keys can be derived. This idea falls into type 
4. The schemes which implicitly use this type of method in the context of BE 
are the SD [21] and LSD [16] method. Note that there is no KPS constructed by 
using this technique before. Shortening the private key size using only PRSG in 
type 4 has an obvious advantage over the one using RSA in type 2 since it needs 
no prime and its computation is much more efficient. Moreover, and perhaps 
more critical, is that the existence of PRSG is considered a weak assumption. 
Basing a cryptographic system only on a weak assumption is always preferred. 


Motivation. The question is how one can use the method of type 4, shortening 
the private key size by utilizing PRSG, at its most beneficial. We take a look 
back into the schemes which implicitly utilize this method: the SD and LSD 
schemes. Although the balance tree representation which is used in SD/LSD has 
good properties since it somehow captures the nature of PRSGs in the sense 
that it utilizes PRSG by letting some values related to some parent nodes input 
to a PRSG so that a PRSG outputs some values related to their child nodes. 
However, the strict structure of subset difference is too rigid to capture the good 
properties from PRSGs thus the optimality of LSD scheme which argued by 
Halevi-Shamir [16] in their work is worked only for their structure. To obtain 
the most beneficial from PRSG, more flexible generalization of the idea must be 
rigorously captured. 


Our Main Results. We observe that there are general “patterns” to construct 
broadcast encryption schemes and KPSs naturally from PRSGs. We call such 
a pattern a sequential key derivation pattern. We demonstrate the power 
of this general patterns by giving: 

1. A solution to the most challenging variant of KPS: the one which supports 
arbitrary number of users to form a group yet secure against any collusion. 
We obtain a lower bound of the private key size at each user for any PRSG- 
based KPSs in this setting. This lower bound of the private key size appears 
to be 0(l/n) times that of information-theoretically secure KPS in the same 
setting [9]. We then propose an optimal construction of KPS which meets 
the bound. This construction makes use of a new combinatorial structure 
which is of an independent interest. 

2. An evidence showing that previous best PRSG-based BE schemes, SD and 
LSD, can be further improved without any further assumption by using this 
general method. To do this, we construct “Flexible SD” (FSD) and “Flexible 
LSD” (FLSD) broadcast encryption schemes. Such schemes require, although 
asymptotically the same, less exact private key size while still maintain ex- 
actly the same broadcast size compared to the original SD/LSD schemes. 
More concretely, the number of private keys are reduced at most log n from 
the original schemes. This reduction depends on the user index. In particu- 
lar, in the FSD and FLSD scheme, there are exactly n/2 users and n/2' /logn 
users who store exactly logn fewer keys than that of the SD and (Basic) 
LSD scheme respectively. 
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Table 1. Summary of results compared to previous works. The parameter in each KPS 
is the storage size at user: the first term in the addition is private key size, the second 
term is non-secret storage. The parameters in each BE consists of the private key size 
(in terms of the exact number of elements) in the upper row, and the header size (in 
terms of bound on the exact number of elements) in the lower row. The parameter 
w u , z u are functions of user index u, for u € N (see Theorem 2 and 3 for detail). 


Based on -7 

Multilinear form 
(type 1) 

K5A 
(type 2) 

FK5G 
(type 4) 

utilization 
of technique 

n 

|P 

(This work) 

KPS 

17] 

0(l) + 0(n) 

[3] (implicitly), [4\ 
0(1) + 0(2” log n) 

(This work) 

o(£) + o 

BE 


[3] 

r(log„(”) + 1) 

SD[21] 

key S D = (k^ 2 n + log n)/2 + 1 

2r — 1 

(Basic)LSD[16J 
key lsd = *og 3/2 n+ 1 

4r — 2 

FSD(This work) 

key s D -w u ,0<w u < log n, u € IV 
2r - 1 

FLSD(This work) 

key lsd ~ z u, 0 < z u < log n, u€ N 
4?- — 2 


2 Definitions 

Definition 1 (Broadcast Encryption, BE). A Broadcast Encryption 
Scheme (BE) is a 3-tuple of polynomial-time algorithms (Keygen, Encrypt, 
Decrypt), where: 

BE.Keygen(l A ,n): Takes as input a security parameter 1 A , the number of users 
n. It outputs n sets of receiver keys I\,...,I n and a sender key T. 

BE . Encrypt (P, T, Mek) : Takes as input a subset P C N := n} of privi- 

leged users, the sender key T, and a message encryption key Mek. It outputs 
a header Hdr of the ciphertext. 

BE. Decrypt (P, Hdr, J u ): Takes as input a subset P C TV, a header Hdr, and a 
receiver key I u . It outputs the message encryption key Mek that was sent if 
u was in the set P, or the special symbol _L otherwise. 

In practice, it is used in conjunction with a symmetric encryption algorithm F 
to encrypt the message body M under the message encryption key Mek resulting 
in a broadcast body Cm- The broadcast to receivers consists of (P, Hdr, Cm)- 

The security notion for broadcast encryption that we concern here is the 
one considered by Naor, et al. [21], where the security against chosen-ciphertext 
attack with adaptive user-corruption is defined. 

In the same paper [21], the authors presented the subset-cover algorithm as 
a sufficient condition to construct such a broadcast encryption scheme. Here we 
recap its definition as the following. Notice that it is slightly different in context 
from the original one. 
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Definition 2 (Subset-Cover Algorithm, SC) A subset cover algorithm SC 
is a 2-tuple of polynomial time algorithms (DefineSet, Cover), where: 

SC.DefineSet(n) -.Takes as input the number of users n. It outputs a family S 
of subsets of N and a user structure T (for example, a binary tree of users). 
SC. Cover (P,S) : Takes as input a privileged subset P of users, the family S 
defined from DefineSet. It outputs a partition Sp := {S^, Si 2 , ..., Si m : 
Si } £ <S} of P, i.e., P = U”Li <%, su °h that the number of subsets in its is 
the minimum among all possible partitions of P by S. 

A broadcast encryption in the subset-cover framework is a broadcast encryp- 
tion scheme that makes use of subset-cover algorithm as its subalgorithm as 
follows. 

BE.Keygen(l A ,n) Run SC.Def ineSet(n) to get ( <S,P ). From P, it determines 
subset key k (5,) for each S{ £ S. Then it defines I u to be the set of A-bits 
strings containing the minimal elements yet still being sufficient to easily 
deduce each subset key k(5») where u £ Si from I u . The broadcaster key T 
is the set consisting of all the subset keys. 

BE.Encrypt(P, T, Mek) Run SC . Cover(P, S) to obtain {S^, Si 2 , ..., Si m }. The 
Mek is encrypted by an encryption scheme E by each subset key k (S^ ),j = 
1 , ..., to yielding a Hdr: 

fils? -EkfSij) (Mek)), ..., (i ro ,P k(Sim) (Mek))) 

BE. Decrypt (P, Hdr, I u ) Parse Hdr as ((ii,ci), ..., ( i m ,c m )), it finds ij such that 
u £ S t j (in case u P the result is null) . Denote D the decryption algorithm 
corresponding to E. It uses I u to derive k(,S' ( .) then computes D k ( S .)(cj) to 
obtain Mek. 

Also in the same paper [21], they define a security notion for broadcast en- 
cryption in the subset-cover framework namely, Key Indistinguishability (kIND) 
and prove that BE in the subset-cover framework is a secure broadcast encryp- 
tion if it holds kIND and the corresponding encryption scheme E and F are 
IND-CCA1 secure. Therefore when proving the security of such a BE which is 
constructed in this framework, we just prove that it holds kIND. Informally, 
kIND says that any polynomial-time adversary can but with a negligible prob- 
ability distinguish the subset key of privileged subset P of its choice from a 
random string of the same length even getting to know all private keys of users 
outside P. 

Definition 3 (Key Predistribution Scheme, KPS). A Key Predistribution 
Scheme KPS consists of a polynomial-time algorithms KeyGen, where: 

KPS.Keygen(l A ,n) Takes as input a security parameter 1 A , the number of users 
n. It outputs n sets of user keys I \ , ..., I n such that for S C N and S 0, a 
conference key k(<S) can be derived from I u if and only if u £ S. 
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Observe that we can use KPS . Keygen for BE . Keygen resulting in a broadcast 
encryption in the subset-cover framework in which S is a collection of all non- 
empty subsets of N. Consequently, we just let BE. Encrypt (P, T, Mek) output 
nothing (zero-header) and let Mek to be k(P). In this sense, KPS can be viewed 
as zero-header BE. Therefore, the security notion for KPS is indeed the key 
indistinguishability notion mentioned before. 

3 Broadcast Encryption from PRSG 

3.1 Generic Broadcast Encryption 

We formally capture the nature of broadcast encryption scheme which is con- 
structed from pseudo-random sequence generator into a general “pattern”. We 
call such a pattern Sequential Key Derivation Pattern or SKDP. This pat- 
tern was actually explained briefly in the introduction as the type 4 method 
to shorten the private key size. We formalize it here. We begin by giving the 
definition of this pattern first and explain later. 

Definition 4 (Sequential Key Derivation Pattern, SKDP). Let N := 
(1,2, ...,n}. Let P be a forest of rooted trees in which each node is labelled a 
different subset of N. We say that ( N , P) is a sequential key derivation pattern 

if: 

1. The label at each node which is not a root in each tree is a superset of the 
label at its parent node. 

2. For every subset S of N, S can be partitioned into a disjointed union of 
subsets labelled at some nodes in F. 

Notation. A forest P is specified by a set of nodes and a set of edges. Since 
each node is labelled a different subset of N, we represent a node as its label. 
One edge is defined by an ordered pair of nodes directed toward from their root. 
A path from root to leaf is defined by an ordered set of nodes on that path 
directed toward from their root. We will call a path from root to leaf a rl-path. 
The set of all rl-paths in P is denoted by Path(P). An <-th node from root in 
rl-path a is denoted by a[i]. Observe that for a e Path(P) it is true from the 
property 1 that a [i — 1] c a[i], thus we denote a['t] \ a [i — 1] by Aa[i] and call it a 
differential label at node a[«] for i > 1. Let Aa[0] = a[0]. For a € Path (P) define 
a differential path Aa as an ordered set of all differential labels in the rl-path a. 
Denote the set of all differential paths in P by DPath(P). Denote v the opposite 
operation of A, i.e., if p = Aa then VP = a for a e Path(P), p e DPath(P). For 
clarity, note that vp[*] = (VP) [*]■ Denote a k the ordered set in which elements 
are taken from the first i elements of a in the same order. Also we often call a 
label an absolute label to distinguish it from a differential one. 

An example of SKDP is the one shown as type 4 in Figure 1. A path 2 — > 
12 — » 123 is an example of rl-path. We represent it as a = ({2}, {1, 2}, {1, 2, 3}). 
The corresponding differential path is thus Aa = ({2},{1},{3}). 
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Intuitively, each node is assigned a subset key of its label (recall that its label 
is a subset of N). Informally, the property 1 in the above definition allows the 
one-way computation from a subset key of a node say v to subset keys of its child 
nodes say %,..., w d . The property 2 makes sure that the subset-cover algorithm 
can be used. Note that in the following generic scheme, we will not use subset 
key to compute another subset key directly but will use an intermediate key as 
we will see later. 

The cryptographic primitive that is used for one-way computation is pseudo- 
random sequence generator G d (), d£ Z+ that d-ples the input, i.e., whose output 
length is d times the length of the input. We say that G d : {0, 1} A {0, l} dA 

is a pseudo-random sequence generator if no polynomial-time adversary can 
distinguish the output of G t on a random chosen seed from a truly random 
chosen string of similar length. 

Generic Construction. Now we will formally describe the generic broad- 
cast encryption in the subset-cover framework that makes use of SKDP (N, P). 
It is enough to specify only SC.Def ineSet, SC. Cover, and BE. Keygen since 
BE. Encrypt and BE. Decrypt can be applied transparently from the last section. 

SC .Def ineset(n) It defines S as the sets of labels at all nodes in P. It also 
output r as given from SKDP. 

SC.Cover(P, S) Due to the property 2 of SKDP, each subset P of N can be 
partitioned into a disjointed union of subsets labelled at some nodes in P, 
thus a disjointed union of subsets in S. It partitions the set P into Sp := 
{S'ij, 5, 2 , ..., Si m : Si j £ 5} with the minimum numbers of subsets. 
BE.Keygen(l A ,n) Before specify the algorithm, the definitions of intermediate 
key, subset key, and their relation are specified first as follows: 
Intermediate Key. Each subset Si £ S is assigned an intermediate key 
t (Si). Each user in 5,, say u, should be able to derive t(5,j from I u . 
Subset key. Each subset Si £ S is assigned a subset key k(5,j. A subset 
key k (Si) can be derived from the intermediate key We say that 

a node is assigned a subset key k(Sj) if that node is labelled 5,. 
Derivation. Let 5, be a subset labelled at a node which is not a leaf in 
P. Suppose that the outdegree of this node is d. Let S il5 Sj 2 , ..., 5* d be 
subsets labelled at its children and i\ < ... < id- The derivation is defined 

t(^ 1 )l|t(5 i2 )||...||t(5 i J||k(5 i ) := G d+1 (t(5,)) 

where = |t(5, d )| = |k(5,)| = A bits and || is concatenation. 

This recurrence relation is well defined if all the initial values, which in 
fact are all the intermediate keys assigned at root of unconnected trees 
of the forest, are defined. 

Now we will specify BE. Keygen. It randomly chooses A-bits strings in ex- 
actly the same number as the number of unconnected trees in P. It then 
assigns each string to be the intermediate key assigned at the root of each 
unconnected tree respectively. User u should be given the intermediate key 
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assigned at the node whose label contains u, say node v, which appears first 
when looking from root to leaf in such a rl-path so that u can derive all the in- 
termediate keys assigned at v’s descendants, whose labels are some supersets 
of label at v\ but not the ones assigned at u’s ancestors, whose labels do not 
contain u. That is, I u is the set of all intermediate keys at nodes whose dif- 
ferential labels contain u. Formally I u = {t(a['i]j : u £ Aa[*],a G Path(T)}. 

Theorem 1 The above generic broadcast encryption scheme from SKDP satis- 
fies the kIND property assuming secure pseudo-random sequence generator. 

Remark 1: A Note on Public Key Extension. Public-key extension of our 
generic broadcast encryption from SKDP can be constructed directly by utilizing 
Hierarchical Identity-Based Encryption [14] with the hierarchical tree obtained 
by connecting all roots of unconnected tree in T of SKDP to a new central root. 
This is indeed the same method as proposed by Dodis-Fazio [10] , but we believe 
that our interpretation provides a better understanding. 


3.2 Flexible SD/LSD Broadcast Encryption 

We construct schemes called Flexible SD/LSD to demonstrate the power of our 
generic method. In general, the following mechanism is just one example of 
conversion from any PRSG-based broadcast encryption schemes into schemes 
which yielding less private key size while maintaining exactly the same header 
size. Moreover, with a further adaptation, we can reduce also the header size 
by trading off the computational cost. In particular, we apply this conversion to 
the SD scheme [21] and the LSD scheme [16] to get the Flexible SD and LSD 
schemes (FSD/FLSD) respectively. We call them flexible since their structures 
came from a flexible generalization of the idea by our general method. 

We assume that the reader is familiar with the SD/LSD scheme. Observe 
that the SD/LSD schemes are indeed two such patterns of SKDP. The SKDP 
which implicitly used in SD is shown explicitly in Figure 2(left). The SKDP for 
LSD scheme is just an adaptation of SD scheme with the absence of some labels 
from SD scheme. 

The conversion is very simple. Intuitively we just split the differential label 
of each node which is not a singleton subset of N in the original scheme into a 
union of differential labels which are singleton subsets and connect them in an 
appropriate order (step 1). After step 1, some of rl-paths will become sub-paths 
(from root) of some other rl-paths. Observe that such repetition parts represent 
the same sets of absolute labels. Therefore we can delete those sub-paths from 
the collection of all rl-paths since doing this does not affect the collection of 
absolute labels, and thus also the header size. These deletions reduce the private 
key size. In step 3, absolute labels which are not absolute labels in the original 
schemes are combined until there is no such case. We do this since these labels 
are not needed for subset-cover algorithm. They would only make rl-paths too 
long, consequently increase the computational cost. However, as we will see later, 
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step 3 can be skipped and we will obtain a scheme which beside the private key 
size, the header size is also reduced. Note that the procedures in the following 
description are somewhat made redundant for a better understanding. 

The FSD and FLSD Scheme. Let X be SD or LSD scheme. Let (N, Lx) be 
a SKDP for X scheme. The conversion from X scheme to FX scheme is done as 
follows: 

Step 1 For each p e DPath(/x)> let |p| = p and |p[i] | = k t and do the following: 

1. For i : 0 < i <p— 1, parse p[«] as {a^i, ..., where a^i < • ■ ■ < a^k,. 

2. Define /( p) = ({a 0 ,i}, {ao,fe 0 )j - v. {«i,*i>, 

{%>,£„})• 

After all, let A = {/( p) : p e DPath(Tx)}- 
Step 2 For any v, w e A such that v = w_|| v | , we decrement A to be A \ {v}. 
Repeat this until there is no such case. 

Step 3 For each q £ A, if there is j such that Vd[i] 0 <$x then renew q to be 
(q[0], ...,q[j — 1], q[j] Uq[j + l],q[j + 2], ..., q[|q| — 1]). Repeat this until there 
is no such case. 

Step 4 Finally we let DPath(7 Vx) = A. 



Theorem 2 For 1 < u < » — 1, let x u := max{fc : 2 k \ u}. Then 
|4, FSD | = |4,sd| — logn + x u , 

and |/„,fsd| = |4,sd|- Recall that |4,sd| = (log 2 n + log n)/2 + 1 for all u G N. 

PROOF. It is enough to show how many differential paths containing u are 
deleted in step 2. We put the label N away for a while. For 1 < k < logn, let B k 
be the collection of all fc-length differential paths of SD. Wlog, we consider the 
deletions in Bi , ..., Ri ogra -i respectively. By inspection, for each k, differential 
path p e Bk will satisfy /( p) = /(pOh|/(p)| f° r some p' G Bk',k' > k iff 

/( P) = + 1}, {<fi k + 2}, ..., {q2 k + 2 k - 1}), 
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for some q € Z + . Thus there will be no deletion for user u iff 2 k \ u. Hence in 
the last step, when considering k = log n — 1, the number of deletions for u will 
be logn — 1 — maxjfc : 2 k \ u} = logn — 1 — x u . Finally, if u 7^ n, then there is 
one more deletion from the label N thus the reduction will be log n — x u . □ 

To illustrate this theorem, one can verify from Figure 2 that: in FSD, for 
u = 1,3,5, 7 : \I U \ = 4, for u = 2,6 : \I U \ = 5, and \I A \ = 6,|/ 8 | = 7; while in SD, 
\I U \ = 7 for all u £ N. The following corollary follows directly from Theorem 2. 

Corollary 1 In the FSD scheme, for 1 < j < logn, there are exactly n / 2 J users 
whose the number of keys is |/ u ,sd| — log n — l+j. And only one remaining user 
has |/„,sd| keys. 

In the following theorem, we concern only the basic LSD (bLSD) scheme for 
simplicity. The results for general LSD schemes can be obtained similarly. 

Theorem 3 For 1 < u < n — 1, let x u := max{fc : 2 k \ u}. Then 
I Aa, F bLSD | = | du, bLSD | - log n + X u + y u , 

where 

Vu = \{j : 1 < j < logn, \/log n \ j , 2 3 — 2^ V’ogu _|_ ^ <; u m0( j 2 3 < 2 j — 1} | , 

and |/ n ,FbLSD| = |^n,bLSD | * Recall that |/ M ,bLSD| = log 3 ^ 2 n+ 1 for all u e N. 

Intuitively, the term y u comes from the number of differential labels contain- 
ing u that were in <Ssn and would have been deleted in step 2, but are not in 
£bLSD- Note that y u < log n — x u since we just add back what we would have 
deleted if it were SD scheme. 

Analogous to Corollary 1, in the FbLSD scheme we could indeed show the 
exact number of users in the function of the number of keys. However, it turns 
out that the expressions are quite complex. We thus state only a particular case 
when the number of keys is the fewest to give some intuition as the following. 

Corollary 2 In the FbLSD scheme, there are exactly n/2 v/log " users whose the 
number of keys is |/ u ,bLSD| — logn. 

Theorem 4 The FSD/FLSD scheme require the same header size as the origi- 
nal scheme for every instance and the computational cost bounded by 0(log 2 n). 

We briefly prove this theorem. First, the header size is remain unchanged 
since Sx = «$fx- Second, it can be shown that the longest rl-path contains 
(log 2 n + log n)/2 edges which is 0(log 2 n). 

Remark 2: On Reducing the Header Size. If we skip step 3, then there are 
some labels which are in <Spx but not in Sx- This means that in the FX scheme 
we have more choices to cover any privileged subsets hence the header size will 
be reduced for some instances of broadcast. On the down side, the longest rl- 
path will have length n resulting in increasing computational cost. Nevertheless, 
to skip or not to skip step 3 are the two extreme cases on the spectrum. In this 
sense, we can trade off the header size and the computational cost. 
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4 Key Predistribution Scheme from PRSG 

4.1 Lower Bound 

Theorem 5 Every PRSG-based KPS satisfies rnax, tei y \I U \ > [ (2 n — l)/n] . 

Note that this is 0{l/ri) less than the lower bound in the information- 
theoretically secure KPS in the same setting in which such a bound is 2 n ~ 1 [9]. 

A further fact from the proof of this theorem is that two necessary conditions 
to make an equality holds are: (i) The differential label at each node must be a 
singleton set. (ii) For each u £ N, \I U \ is equal to [(2" — 1 )/n\ or [(2" — l)/nj. 


4.2 An Optimal Construction 

Intuition. To design a set of differential path DPath(T) to represent a SKDP 
for an optimal KPS, we have to make sure the following requirements 1 : 

— It really represents a SKDP: the (absolute) labels at any two different nodes 

are different. For example, there is no such path from root (not necessary to 
leaf) 1 — >• 12 and 2 — >• 12 appear simultaneously; that is to say there is no 
differential path 1 — > 2 — >■ • • • and 2 — > 1 ■ ■ ■ at the same time. 

— It can be used for KPS: the set of (absolute) labels at all nodes completes 
the set of non-empty subsets of N. 

— It is optimal: for each u £ N the number of differential labels which u appears 
is f(2" — l)/n] or L(2»-l)/nJ. 

Consider the case where n is a prime larger than 2. When n is not a prime, 
a construction can be achieved similarly but is more complex. Theorem 5 can 
be intuitively interpreted as the following: First due to the fact (i), for each 
nonempty S C N it must be that t(.S') £ I u for only one unique u. If we put 
t (N) away for awhile. All other 2” — 2 intermediate keys for non empty-subset of 
N must be distributed equally to each u so that \I U \ = |_(2 n — l)/nj = (2 n — 2 )/n. 
Note that this is an integer due to the Fermat’s little theorem. Finally we pick 
one unlucky user say v and increment I v to be U {t(iV)} so that only v, 
\I V \ = \{2 n — 1 )/n] = ( 2" — 2 )/n+ 1 and we will be done since this is optimal. 

The question now is how to distribute 2” — 2 values of t(S), S C N, S 0 0 
equally to each I u ,u £ N. We accomplish this by first constructing a structure 
called block. One block contains n fix-length differential paths in which labels 
are all different. Each block has a property that the number of differential labels 
which u appears is equal for every u £ N. Thus we just let DPath(F) to be 
composed of many blocks so that we would accomplish the task. However, the 
difficulty arises since we have to make sure also that any absolute labels from 
different blocks of the same length are different (as the requirement 1) and the 
set of all differential paths of length i completes the set of i-subsets of N (as 
requirement 2). This turns out to be a non-trivial task. We achieve this by 

1 Figure 4(lower part) should be helpful to get some insight. 
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defining an equivalence relation between blocks of the same length: informally 
two blocks are said to be equivalent if the set of labels from two blocks are the 
same. Therefore we just pick one block from each equivalence class into which 
this relation partitioned to completes DPath(T) and we will be done. However, 
to pick a i-length block, it has to be consistent with some a (i — l)-length block 
picked previously in the sense that all absolute labels of the first i nodes away 
from the root in each path in two blocks are the same. To accomplish this, we 
define a relation called splitting relation between every two complete collections 
of classes in which length of blocks are consecutive, say i— 1 and i. This relation 
will imply a set of chains that relate from block of length 1 to that of length 2 
and so on. Consequently, instead of picking up a block, we will pick up a chain 
and we will be done. Note that due to (i), wlog, from now on we consider each 
differential label as an element in N instead of a singleton subset of N. 

Building Blocks. Now we will formally define the structure “block” and its 
equivalence relation. Each block is generated by a vector from the space Dk := 
{(di,...,dk) € (-N*) fc : Va < b,Ylj= a dj ^ 0 (mod n)} where we let N* = 
{1, ..., n — 1}. Figure 4(upper part) shows examples of block. 

Definition 5 (Block) For a set F C N and a vector d = (d\, ..., dk-i) G 
Dk- 1 , we define a block generated by d over F as 

(d) F = {(a, a + d\,a + di + d 2 , ..., a + d\ + • • • + dk— i) mod n : a £ F}, 
and denote it as (d) F . When F = N, we simply denote (d). 

Recall that each element in a block is a differential path whose all differential 
labels are singleton subset of N so we can treat such a differential path as a vector 
for simplicity. Furthermore one can verify that if n is prime, no absolute labels 
from any different differential paths in the same block are the same. 

Definition 6 (Equivalence Relation =) For vectors d,e e Dk- 1 , we say 
that d is equivalent to e over set F, and write d = F e, if 

{VP : P G (d) F } = {VP : P G <e) F }, 
and when F = N, we simply denote d = e. 

It is easy to verified that = is an equivalence relation on the set Dk- 1 , i.e., it 
has reflexivity, symmetry, and transitivity. So what will the equivalence classes 
into which the relation = partitions Dk - 1 be like? First, we consider the following 
lemma. Let n fc denote a set of all permutations of (0, 1, ..., k — 1). 

Lemma 1 Ford = (cfy ..., dk-i), e = (ei, ..., ek-i) G Dk - 1 let do := n — 
Xq=i dj m °d n, eo := n — X^=i e i m °d n, we have d = e if and only if there 
exists (ro, ri, ..., r^-i) G n*, such that for all 0 < i < k— 1, e, = mod k dj 

mod n, where we letrk ■= ro and YTj=bdj ~ <4 + <4+ iH |-c4-i + doH \-d a 

when a <b. 
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Definition 7 For r G II fc , d' = (do, dk-i) € (N*) k such that Y^j=o^j = 0 
(mod n), let 

n — 1 mod k 7*2 — 1 mod fc r*o — 1 mod k 

d'c>r:=( dj, dj,..., dj) mod n. 

j=ro |pp» j=r { k- 1 ) 

Lemma 1 implies that such an equivalence class is of the form [d'] := |d' [>r : 
r G IIfc}. To see the concrete classes, we first consider d', e' such that J2j=i dj = 
J2jZ i e j = n - One can verify that [d'] = [e'] if and only if d' is a cyclic permuta- 
tion of e'. Next observe that for an arbitrary d G 1 there will be r G 11* and 
v = (vo, ..., Ufc_i) G (N*) k where = n such that d G [v>r]. Therefore 

the complete collection of these equivalence classes is the collection of classes [v] 
where each v is a cyclic positive k-partition of n. We denote this collection of 
equivalence classes as £ n ,k- For example, £e ,3 = {[411], [321], [312], [222]}. 

From now, if we write [v] G £ n ^ it is to be understood that v = (vq. ..., Vk-i) 
G (7V*) A:: and Xq=o v :i = n ( m °d n) unless something else specified; in addition 
we will say that v is a representative vector of class [v]. 

Definition 8 (Splitting Relation) A splitting relation Splt fc c £ n ,k><£n,k + i 
is defined as Splt fc := {([v],[y]) : [vH fc _i||(u fc _i - a mod n,a)\ = [y],a G 

This definition is well defined: we do not aware which representative vector 
of such a class is to be splitted, i.e., we claim the following lemma: 

Lemma 2 For any w such that w = vor for some r G IR there will be s G IR+i 
and b G {1, ..., n — 1} such that w-ifc_i||(u;fc_i — b mod n, b) = (Vn/t-i || (vfc-r — 
a mod n,a )) t>s. 

To prove this Lemma, choose s = r||(fc) and b = w/-_ i — Vk-i + a mod n. 


Lemma 3 For 2 < k < [n/2] there exists onto function f n ^ ’■ £n,k 0| ->° £n,k - 1 
such that for all [v] G £ n ,k, (/n,fc([v ]), [v]) G Splt fc _ 1 . For [n/2] +1 < k < n— 1 
there exists one-to-one function g n t k : £ n ,k ^ £n,k-i such that g~\ C Splt fc _ 1 . 


For the functions denoted above, when / n ,fc([v fc ]) = [v fe 1 ] (2 < A; < Ln/2J) or 
9n,k{\y k \) = [v fc_1 ] ([n/2] +1 < k < n— 1), we will represent it as [v fc_1 ] — > [v fe ]. 
Let C = {/„,2, •••,/«, fn/21, 9n,\n/2i+i,-~,9n,n-i}- A chain [v fcl ] — > [v fcl+1 ] —t 
■■■—>• [v fca ] is said to be induced by C if every — > in the chain is taken from a 
mapping in a function in C. Such a chain is said to be {k\,k-f) — terminated if 
there is no -» directed into [v fcl ] and no -» directed from [v* 2 ]. Since is onto 
function, each terminated chain is (1, /^-terminated for some [n/2] < k < n — I . 
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The Optimal Construction 

Step 1 Find a set of functions A = {f n ,k ■ £ n ,k £ n ,k- 1|2 < k < [n/2] } and 
B = {g n ,k '■ £n.k 1 f-t 1 £ n ,k-i\\n/2\ +1 <k <n — 1} which satisfy Lemma 3. 
Step 2 For each terminated chain [v 1 ] — > [v 2 ] [v ,; ] , we converts for 

j : 1 < j < k each representation vector v J to w J so that [v- 7 ] = [w J ] and 
for j : 1 < j < k — 1, 


Wqy j||(«4 r - <ij mod n, aj) = w J+1 , 

for some dj £ {1, ...,n — 1}. Note that we can do this due to Lemma 2 and 
the fact that there is only one — > directed into [v 7+1 ] because a function 
mapped from it determines the — > directed into it. 

Step 3 Recall that A\JB induces only (1, /^-terminated chains for some [n/2] < 
k < n — 1. Let ChnLst be a set of all the last terms of terminated chains. 
Now we construct P by letting 

DPath(P) = |J (x H( | xhx) ). 

[xjeChnLst 

Step 4 Pick one ( n — l)-length differential path in DPath(P), say p. Increment 
it to p| | (a) where a ^ VP- 


Theorem 6 For P above, we have that ( N , P) is an SKDP with max. u6 ^ \I U \ = 
\(2 n — 1 )/n] and the set of all labels of nodes completes the collection of all 
non-empty subsets of N. 

An Example, n = 7. The diagram of chains induced by ALiB in step 1 is shown 
in Figure 3(left). After conversion in step 2 we have a diagram in Figure 3(right). 
DPath(P) defined in step 3 is ((1, 1,1,1, 1))U((3, 5, 5, 6))U((2, 1, 1, 2)}l_l((3, 1, 2))U 
((2,2,1)). Lastly we pick (1, 2, 3, 4, 5, 6) £ DPath(P) and increment it to be 
(1,2, 3, 4, 5, 6, 7). This yields \I U \ = |_(2 7 - 1)/7J = 18 for u ^ 7 and \I 7 \ = 19. 


£7.1 £7.2 £0 £7.4 £7,5 £7.6 

£ 74 £ Ti2 £ 7>3 £ t>4 £ 7i5 £ 7j6 

[7k-* [61]' — *[511] — * [HU] — [31111]— [211111] 

[7]y- [16]— [115]— [1114]— [11113]— [111112] 

\ [B2]r- [421] w[3112]— [22111] 

V [25]r— [214]\x[3551]— [35562] 

N [43] A* [412]/N [3211] — [21211] 

^ [34]kr— [356] [2il3] — - [21121] 

y [331] — - [3121] 

Y [313] [3121] 

’ [322] — - [2221] 

' [223] — - [2212] 


Fig. 3. Diagram of chains induced by A UR in step l(left) and its conversion after step 
2(right). Recall that the direction of — »• is opposite to the way functions are mapped. 
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= (1,2, 3, 4, 5, 6, 7) 


= (2, 3, 4, 5, 6, 7) ] 

3 = (3,4, 5, 6, 7,1) 


= <(1 ' 1 ’ 1>1 - 1)>U(1 ’ 2 ' 3 ' 4 ’ 5 ’ 6)1 

= (6, 7, 1,2, 3, 4) 

= (7, 1,2,3, 4, 5) J 


i = (1,4, 2, 7, 6) ' 


p 3 ,i = (1,3, 4, 5, 7) 

2 = (2, 5, 3, 1,7) 


P3,2 = (2,4, 5,6, 1) 

3 = (3, 6, 4, 2,1) 


P3,3 = (3, 5, 6, 7, 2) 

4 = (4, 7, 5, 3, 2) 

M* <(3,5, 5, 6)) < 

p 3 ,4 = (4, 6, 7,1,3) 

5 = (5, 1,6, 4, 3) 


p 3 ,5 = (5, 7, 1, 2, 4) 

6 = (6, 2, 7, 5, 4) 


p 3 ,6 = (6, 1,2, 3, 5) 

7 = (7, 3, 1,6, 5) , 


,p 3 ,7 = (7, 2, 3, 4, 6) 

4 = (1,4, 5, 7)] 



P 5,i = (1, 3,5,6) ’ 

2 = (2, 5, 6,1) 



P5,2 = (2, 4, 6, 7) 

3 = (3, 6, 7, 2) 



ps, 3 = (3, 5, 7,1) 

4 = (4, 7, 1,3) 


= <(3,1,2)) 

ps, 4 = (4, 6, 1,2) 

5 = (5,1, 2, 4) 



Ps,s = (5, 7, 2, 3) 

6 = (6, 2, 3, 5) 



ps, e = (6, 1,3, 4) 

7 = (7, 3, 4, 6) , 



. Ps,7 = (7, 2, 4, 5) _ 


= {( 2 , 1 , 1 , 2 )) 


= (( 2 , 2 , 1 )) 



Fig. 4. DPath(F) (upper part) and its differential path representation (lower part) of 
SKDP for optimal KPS. 
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Abstract. In Eurocrypt 2003, Boneh et al. presented a novel crypto- 
graphic primitive called aggregate signatures. An aggregate signature 
scheme is a digital signature that supports aggregation: i.e. given k sig- 
natures on k distinct messages from k different users it is possible to 
aggregate all these signatures into a single short signature. 

Applying the above concept to verifiably encrypted signatures, Boneh et 
al. introduced a new complexity assumption called the k-Element Ag- 
gregate Extraction Problem. 

In this paper we show that the fc-Element Aggregate Extraction Problem 
is nothing but a Computational Diffie-Hellman Problem in disguise. 
Keywords: aggregate signatures, Diffie-Hellman problem, complexity 
assumption. 

1 Introduction 

In Eurocrypt 2003, Boneh, Gentry, Lynn and Shacham [2] introduced the concept 
of aggregate signatures. An aggregate signature scheme is a digital signature 
that supports aggregation: given k signatures on k distinct messages from k 
different users it is possible to aggregate all these signatures into a single short 
signature. This useful primitive allows to drastically reduce the size of public-key 
certificates, thereby saving storage and transmission bandwidth. 

Applying the previous construction to verifiably encrypted signatures, Boneh 
et al. introduced in [2] a new complexity assumption called the k-Element Aggre- 
gate Extraction Problem (hereafter /c-EAEP). In this paper we will prove that 
fc-EAEP is equivalent to the Computational Diffie Heilman assumption (CDH). 

This paper is structured as follows: section 2 recalls Boneh et al.’s setting, 
section 3 contains [2,3] ’s definition of the fc-EAEP and section 4 concludes the 
paper by proving the equivalence between fc-EAEP and CDH. 

2 Verifiable Encrypted Signatures via Aggregation 

We will adopt [2,3] ’s notations and settings, namely: 

— G i and G 2 are two multiplicative cyclic groups of prime order p: 

C.S. Laih (Ed.): ASIACRYPT 2003, LNCS 2894, pp. 392-397, 2003. 
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— gi is a generator of G i and g 2 is a generator of G 2 \ 

— ip is a computable isomorphism from G\ to G 2 with ip(gi) = 52 ; 

— e is a computable bilinear map e : G\ x G 2 — > Gt where Gt is multiplicative 
and of order p. The map e is: 

• Bilinear: for all u G G\,v G G 2 and a, 6 G Z, e(u a , v b ) = e(u,v) ab 

• Non-degenerate: e(gi,g 2 ) ^ 1 

— h: { 0, 1}* —¥ G 2 is a hash function. 


Key generation 

Pick random x <— TL V 
Compute v t— gt 
Public : v G Gi 
Private : x G Z p 

Signature 

Hash the message M € {0, 1}* into h «— ft(M) € G2 
Compute the signature a h x £ G2 

Verification of cr (with respect to n and M) 

Compute h •<— h(M) 

Check that e(gi,a) = e(v,h) 


Fig. 1. Boneh, Lynn, Shacham Signatures. 


2.1 Boneh-Lynn-Shacham Signatures 

Figure 1 briefly recalls Boneh, Lynn and Shacham’s signature scheme [1], upon 
which the aggregate signatures schemes of [2,3] are based. 

2.2 Aggregate Signatures 

Consider now a set of k users using Figure l’s scheme (each user having a different 
key pair bearing an index i) and signing different messages Mi. Aggregation 
consists in combining the resulting k signatures (cti, . . . , o>} into one aggregate 
signature cr. This is done by simply computing: 

k 

Aggregate verification is very simple and consists in checking that the Mi 
are mutually distinct and ensuring that: 

e(gi,a) = JJe(u»,/ij) where hi = h(Mi) 
i=l 

This holds because: 

k k k k 

e(gi,<T ) = e{gi,\\h x i i ) = e{gi, hi) Xi =\\_e{gl\hi) = e(v u hi) 
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2.3 Verifiably Encrypted Signatures via Aggregation 

As explained in [2,3], verifiably encrypted signatures are used in contexts where 
Alice wants to show Bob that she has signed a message but does not want Bob to 
possess her signature on that message. Alice can achieve this by encrypting her 
signature using the public key of a trusted third party ( adjudicator , hereafter 
Carol), and send the resulting ciphertext to Bob along with a proof that she 
has given him a valid encryption of her signature. Bob can verify that Alice 
has signed the message but cannot deduce any information about her signature. 
Later in the protocol, Bob can either obtain the signature from Alice or resort 
to the good offices of Carol who can reveal Alice’s signature. 

To turn the aggregate signature scheme into a verifiably encrypted signature 
scheme, [2,3] proceed as follows: 

- Alice wishes to create a verifiably encrypted signature that Bob will ver- 
ify, Carol being the adjudicator. Alice and Carol’s keys are generated as if 
they were standard signers participating in the aggregate signature protocol 
described in the previous subsection. 

- Alice creates a signature a on M under her public key. She then forges a 
signature a' on some random message M' under Carol’s public key (we refer 
the reader to [2,3] for more details on the manner in which this existential 
forgery is produced). She then combines a and a' obtaining the aggregate 
u. The verifiably encrypted signature is {lu, M'}. 

- Bob validates Alice’s verifiably encrypted signature [ui. M'} on M by check- 
ing that a; is a valid aggregate signature by Alice on M and by Carol on 
M'. 

- Carol adjudicates, given a verifiably encrypted signature {w, M'} on M by 
Alice, by computing the signature a 1 on M' and removing <j' from the ag- 
gregate thereby revealing Alice’s signature a. 

3 The fc-Element Aggregate Extraction Problem 

As is clear, the security of Boneh et al.’s verifiable encrypted signature scheme 
depends on the assumption that given an aggregate signature of k signatures 
(here k = 2) it is difficult to extract from it the individual signatures (namely: 
Alice’s signature on M ). This is formally proved in theorem 3 of [2,3]. 

Considering the bilinear aggregate signature scheme on G\ and f? 2 , Boneh 
et a 1. assume that it is difficult to recover the individual signatures <7j given the 
aggregate a, the public-keys and the message digests. Actually, [2,3] assume that 
it is difficult to recover any aggregate a' of any proper set of the signatures and 
term this the fc-Element Aggregate Extraction Problem (hereafter fc-EAEP). 

More formally, this assumption is defined in [2,3] as follows: Let G\ and G -2 
be two multiplicative cyclic groups of prime order p, with respective generators 
gi and g- 2 , a computable isomorphism ip : Gi —> G 2 such that 52 = V’(fl'i)) and a 
computable bilinear map e : Gi x G2 — » Gt- 
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Consider a fc-user aggregate in this setting. Each user has a private key 
X{ e 2 J( and a public key t;,: = g** e G\ ■ Each user selects a distinct message 
Mi e {0, 1}* whose digest is hi e Gi and creates a signature ct,; = hf* € G%. 
Finally, the signatures are aggregated yielding: 

a = f[a t eG 2 

Let I be the set {1, . . . , k}. Each public-key v, can be expressed as gff each 
digest hi as g'f , each signature a t as g 2 iVi and the aggregate signature a as gf 
where: 

iei 


Definition 1 (fc-EAEP). The k-Element Aggregate Extraction Problem is the 
following: given the group elements gf 1 , . . . , g* k , gif 1 , . . . , g% k and gp i€I x% v% , out- 
put (cd, I') such that I’ £ I and a' = gp ieI> x ' Vt ■ 


The advantage of an algorithm £ in solving the fc-EAEP is defined as: 


Adv fc-Extrg = Pr 


®ii gp i€lX ' 

.W,I') 9 Xk 9-2 • • • • • (if ■ °) 


wherein the probability is taken over the choices of all Xi and y-, and the coin 
tosses of £. 

In the following, we define the hardness of the fc-EAEP. For simplicity, we 
use the asymptotic setting instead of the concrete setting of [2] . 


Definition 2. The k-Element Aggregate Extraction Problem is said to be hard 
if no probabilistic polynomial-time algorithm can solve it with non-negligible ad- 
vantage. 


[2,3] is particularly concerned with the case fc = 2 where the aggregate ex- 
traction problem boils down to the following: 

Definition 3 (2-EAEP). Given g r {. g\, gif, gf and g < . J 2 u+hv , output gf u . 

We refer the reader to [3] for more details on the manner in which this 
assumption is used in proving the security of the verifiable encrypted signature 
scheme. 


4 fc-EAEP Is Equivalent 

to the Computational Co-Diffie-Hellman Problem 

The Computational co-Diffie-Hellman problem (hereafter co-CDH) is a natural 
generalization to two groups G\ and G 2 of the standard Computational Diffie- 
Hellman problem; it is defined as follows [2]: 
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Definition 4 (co-CDH). Given g\,g\ € G\ and h € G 2 , output h a € C?2- 

The advantage of an algorithm A in solving co-CDH in groups G 1 and G 2 is: 

Adv co-CDI-U = f Pr [A{g!,g^,h) = h a : a £ Z p ,/i £ G 2 ] 

The probability is taken over the choice of a, h and A’s coin tosses. Note that 
when Gi = G 2 , this problem reduces to the standard CDH problem. 

Definition 5. The Computational co-Diffie-Hellman problem in groups G\ and 
G 2 is said to be hard if no probabilistic polynomial-time algorithm can solve it 
with non-negligible advantage. 

The following theorem shows that the fc-Element Aggregate Extraction Prob- 
lem is equivalent to the Computational co-Diffie-Hellman problem. 

Theorem 1. The k-Element Aggregate Extraction Problem is hard if and only 
if the Computational co-Diffie-Hellman problem is hard. 

Proof. It is straightforward to show that an algorithm A solving co-CDH can be 
used to solve the fc-EAEP. Namely, given the instance g * 1 , . . . , g Xk , gff , ... , g\ k 
and gp ielX,v ', using A we obtain a' = gf 1111 from <?i , <?f l • This gives 
({1}, a') as a solution to the fc-EAEP. 

For the converse, we start with k = 2, i.e. an algorithm solving the 2-EAEP 
and show how to generalize the method to arbitrary k. Letting g\,gf,gf be a 
given instance of co-CDH, we must compute g% using an algorithm A solving 
the 2-EAEP. 

We generate x <— 7L V and y Z p ; one can see that: 

(fli , 9i +x , 9f u ,9% +V , g% v+u - x+x ' v ) 

is a valid random instance of the 2-EAEP. The instance is valid because: 
-a-u+(a + x)-(u+y)=a-y+u-x + x- y 

The instance is a random one because g'i +x and gf +y are uniformly distributed 
in G 1 and G2. Moreover, the instance can be computed directly from g'f and 
92 = VKffi)- Therefore, given as input this instance, the algorithm A outputs 
gf°' u , from which we compute gf " and solve the co-CDH problem. 

More generally, for k > 2, we generate x 2 , . . . , Xk, 2/2, ■ • • , 9k then we 

generate the following instance of the fc-EAEP: 

(9i, 9t +X2 . • • • , 9i +Xk , 92 (k ~ 1)U ,9% +V2 ,■■■, 92 +Vk - 9l) 

where 

z = ^2 a- y i ~ Xi ■ (u - y-i) 
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As previously, this is a valid random instance of the fc-EAEP, which can be 
computed from g% and g% = '0(5i )■ Therefore, given this instance as input, an 
algorithm A solving fc-EAEP outputs (I 1 , a'). We assume that 1 6 I', otherwise 
we can take I" <— I \ /' and a" <— g 2 jo' . Letting o' = g 2 and k' = \I'\ < fe, we 
have: 

z! = -(k - 1) • a ■ u + ^ (a + Xi)(u + yi) 

iel\i> i 

z' = a ■ u ■ (A/ - k) + a-yi + Xi-(u + yi) 

»£/',*> i 

Therefore we can compute: 


92 u = o-' • {gfj Vi {g? 2 ) Xi g 2 XiVi 

\ iei',i> 1 

which is the solution of the co-CDH instance. 

Therefore, given a polynomial time probabilistic algorithm solving the k- 
EAEP with non-negligible advantage, we obtain a polynomial time probabilistic 
algorithm solving co-CDH with non-negligible advantage, and conversely, with 
a tight reduction in both directions. □ 



5 Conclusion 

In this paper we showed that the fc-element Aggregate Extraction Problem in- 
troduced by Boneh, Gentry, Lynn and Shacham in [2,3] is equivalent to the 
Computational Difhe Heilman Problem. 

By shedding light on the connection between Boneh et al.’s verifiable en- 
crypted signature scheme and the well-researched Computational Diffie-Hellman 
Problem, we show that [2,3] features, not only attractive computational require- 
ments and short signature size, but also strong security assurances. 
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Abstract. We show how to construct practical honest- verifier statisti- 
cal zero-knowledge Diophantine arguments of knowledge (HVSZK AoK) 
that a committed tuple of integers belongs to an arbitrary language in 
bounded arithmetic. While doing this, we propose a new algorithm for 
computing the Lagrange representation of nonnegative integers and a 
new efficient representing polynomial for the exponential relation. We 
apply our results by constructing the most efficient known HVSZK AoK 
for non-negativity and the first constant-round practical HVSZK AoK 
for exponential relation. Finally, we propose the outsourcing model for 
cryptographic protocols and design communication-efficient versions of 
the Damgard-Jurik multi-candidate voting scheme and of the Lipmaa- 
Asokan-Niemi ( b + l)st-price auction scheme that work in this model. 

Keywords: Arguments of knowledge, Diophantine complexity, integer 
commitment scheme, statistical zero knowledge. 

1 Introduction 

A set S C ZZ n is called Diophantine [Mat93], if it has a representing polynomial 
G &[X-,Y], X = X n ) and Y = (Y u ...,Y m ), such that p e A 

iff for some witness u € 2Z m , 9t,g(p: ui) = 0. A seminal result of Matiyasevich 
from 1970 states that every recursively enumerable set is Diophantine. It has 
been an open question since [AM76], whether D = NP, where D is the class 
of sets S that have representing polynomials 9Lg, such that p G S iff for some 
polynomially long witness uj G 2Z m , 1Rs(p'- d) = 0. One is also tempted to ask a 
similar question PD = P about the “deterministic” version of class D, the class 
PD that contains such languages for which the corresponding polynomially-long 
witnesses can be found in polynomial time. The gap in our knowledge in such 
questions is quite surprising; this is maybe best demonstrated by the recent proof 
of Pollett that if D C co-NLOGTIME then D = NP [Pol03], 

In this paper we take a more practice oriented approach. Namely, we are 
interested in the sets S with sub-quadratic (i.e., with length, sub-quadratic in the 
length of the inputs) witnesses. We propose representing polynomials with sub- 
quadratic , polynomial-time computable, witnesses for a practically important, 

C.S. Laih (Ed.): ASIACRYPT 2003, LNCS 2894, pp. 398-415, 2003. 
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although relatively small, class L 2 of languages of bounded arithmetic. (This 
class of languages includes many arithmetic and number-theoretic relations like 
[fj , 3 = max(/ii,/i2)], but also relations like [fj, 2 is the hh bit of /ii]. ) For this, 
we demonstrate that the exponential relation has a representing polynomial 
with polynomial-time computable sub-quadratic-length witnesses. This improves 
somewhat on the previous best result of [AM76]; differently from the latter, 
we will also give a self-contained proof of this result, and provide a precise 
complexity analysis. Our next contribution is a new algorithm for finding, given 
a positive integer /x, such integers (oq, . . . , lu 4 ) that /x = + • • • + This 

algorithm improves on the Rabin-Shallit algorithm [RS86]. 

While representing polynomials with short witnesses have independent in- 
terest in complexity theory [AM76], our work on this topic was motivated by 
cryptographic applications. Given an integer commitment scheme [FO99,DF02] 
with efficient arguments of knowledge for additive and multiplicative relations, 
one can argue (by using the methodology from [F099]) in honest- verifier statis- 
tical zero-knowledge (HVSZK) that f[p) = 0, where \i is a tuple of committed 
integers. By following this methodology, one can design efficient argument sys- 
tems for several important cryptographic problems. However, there has been no 
previous formal treatment of what happens if one extends this methodology (at 
least not when coupled with an integer commitment scheme) so as to enable the 
demonstration of knowledge of an auxiliary witness u> , for which /(/r; uj) = 0. 
A natural requirement here is that if the arguer convinces the verifier that she 
knows such an u), the verifier will also be convinced that /1 £ S where / = fHg is 
the representing polynomial of S. 

Thus, by using well-known cryptographic tools, one can construct poly- 
nomial-length three-round HVSZK arguments of knowledge that g, £ S for any 
SgD. However, these arguments can only be executed if the arguer knows the 
corresponding witness. If there is a polynomial-time algorithm to compute the 
witness from fi (that is, S £ PD), then one will be able to argue that /x £ S for an 
arbitrary fi £ S. If, additionally, the corresponding witnesses are sub-quadratic 
(as they are when S £ L 2 ) then by using the described methodology one can 
often improve upon previously known arguments of knowledge — either in effi- 
ciency, or by basing the arguments on weaker security requirements: namely, it 
is sufficient to require that the underlying integer commitment scheme is statis- 
tically hiding and computationally binding [F099]. In particular, we use our new 
algorithm for finding the representation /x = -| b u)\ to propose a new ar- 

gument of knowledge for non- negativity of the committed integer. Compared to 
Boudot’s protocol for the same problem [BouOO], this argument is conceptually 
much simpler, somewhat shorter, and offers perfect completeness. 

After that, we propose a general model for cryptographic protocols that in- 
volve social or financial choices (e.g., voting or auctions). In this model one can 
implement any function from the class L 2 (e.g., maximum-finding in the case of 
auctions) by using sub-quadratic-length interaction. As [CGS97,DJ01,LAN02], 
our model uses a certain encoding function enc of the social choices together 
with a homomorphic public-key cryptosystem. As an example, in this model we 
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can construct an efficient minimal-disclosure voting protocol where the talliers 
will only get to know the winning candidate. 

Finally, we propose a few alternative constructions for the encoding func- 
tion. Until now, one has mostly used the function enc(n) = a", where a is an 
a priori fixed upper limit on the number of participants [CGS97,DJ01,LAN02]. 
We show that instead, one can use the function enc(n) = Z 0 (n), where Z a (n) is 
the nth member of a certain Lucas sequence, to achieve otherwise exactly the 
same properties as in [DJ01,LAN02] but with correctness arguments of length 
(9 ( max ( k . to log a)), where k is the security parameter, a is the maximal number 
of participants, and to is the number of possible social of financial choices (e.g., 
the number of different bids). This is (9 (log to) times more efficient than the pro- 
tocols from [DJ01,LAN02]. We also propose an efficient algorithm for comput- 
ing Z a (n). Lucas sequences have definitely more applications in zero- knowledge 
proofs or arguments than described in this paper. We also demonstrate another 
approach that uses exponentiation as the encoding function. 

Road-Map. We introduce necessary preliminaries in Section 2. In Section 3, we 
prove that languages in L 2 have representing polynomials with sub-quadratic- 
length witnesses. In Section 4, we present a methodology that allows to apply our 
HVSZK arguments-of-knowledge together with homomorphic cryptosystems to 
a variety of cryptographic protocols. Finally, the appendix describes our simpli- 
fications and extensions to the Damgard-Fujisaki commitment scheme together 
with a new and efficient argument system for nonnegativity. 

2 Preliminaries and Notation 

We say that an algorithm / is efficient when / works in the probabilistic poly- 
nomial time with respect to the summatory length of its parameters; we denote 
the set of efficient algorithms by £A. Let bit (x,i) denote the itli bit of x, i.e., 
x = £.>o bit (ay i) ■ 2*. When D is a distribution (including the output distribu- 
tion of some probabilistic algorithm) then x <— D denotes the choice of a random 
element x according to D. We denote the uniform distribution over a set S also 
by S', that is, x S means that x is chosen uniformly and randomly from S. 
Bounded Arithmetic. Bounded arithmetic is a first-order theory of the nat- 
ural numbers with non-logical symbols 0, a, +, ■, <, — , \_x/2\ , |.t'|, MSP(ay i) 
and ft. The symbols 0, u{x) := x + 1, +, •, and < have their usual meaning. 
Other operations are defined as x — y := max(a; — y, 0), |a:| := Llog 2 (£ + 1)J> 
MSP(x, i) := \_x/2 l \ and trfty := 2^'^. For our purposes we adapt a slightly 
modified definition of bounded arithmetic where the underlying domain is ZZ 
instead of IN. We denote by L 2 the set of terms of the quantifier-free bounded 
arithmetic (over ZZ). 

One can express a large number of relations in L 2 . Many familiar predicates 
(like [/tii > /i 2 ], [l-i is a perfect square], [fi 2 = bit(/zi,*)]) are known to belong to 
L 2 . They can be readily found from the literature. 

Lucas Sequences. All nonnegative integral solutions (x, y) of the equation 
x 2 — axy — y 2 = 1 are either equal to (Z a (n + 1 ),Z a (n)) or (Z a (n), Z a (n + 1)), 
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n > 0, where Z a (n) (that we mostly denote by ) can be computed by using 
the next recurrent identities [Mat93]: Z a ( 0) := 0, Z a ( 1) := 1, and Z a (n + 2) := 
aZ a (n + 1) — Z a (n) for n > 0. Thus, {Z a (n)} ne j n is a Lucas sequence. Another 
important property of Z a (ri) is that when a > 2 and n > 0 then (a — 1)” < 
Z a (n+ 1) < a". The next variant of the Russian peasant algorithm can be used 
to efficiently compute the pair (Z a (n + 1). Z a {n)): 

Lemma 1. The next algorithm computes (Z a (n+1), Z a (n)) from (a, n) by doing 
~ 3 • log 2 n two-variable multiplications in average: 

1. i := |_log 2 nj; 2 := 1 \z' := 0 

2. for i := l downto 0 do 

- t:=z\ if bit(n, i) = 1 then 2 := z{at - 2 z')\ z' = t 2 - z' 2 
else z :=t 2 — z' 2 \ z' = z'{2t — az')\ 

3. Return ( z,z '). 

Proof. Follows from the identities Z a (2n) = Z a (n)(2Z a (n + 1) — aZ a (n)) = 
Z a (n)(aZ a (n ) - 2 Z a (n - 1)) and Z a (2n + 1) = Z 2 (n + 1) - Z 2 (n). □ 

While a similar 0(logn)-time algorithm for Lucas sequences is described, for 
example, in [JQ96], the algorithm presented there works for somewhat different 
sequences and requires 4.5(log 2 n + 0(1)) multiplications. Log-time algorithms 
for Lucas sequences have been known at least since [Wil82]. 

Arguments of Knowledge. For bit-strings a and /j, and predicate Q(-), we 
denote by AK (Q(a,p,)) a three-round honest-verifier statistical zero-knowledge 
(HVSZK) two-party argument of knowledge (AoK) that given a value a (known 
to both parties), the arguer knows an integer parameter /./, such that the pred- 
icate Q(a,p) is true. We always denote the values, knowledge of which has to 
be proved, by Greek letters; the scope of such variables lies within a single 
AoK. The symbol uj will always denote an auxiliary witness. As an example, 
AK (y = Ek(p', p) A /x 2 = uj) denotes a HVSZK AoK that given a ciphertext y 
and a public key K, the arguer knows a plaintext p and a randomness p such that 
y = Ek(p', p) and p is a perfect square. Our protocols will be AoK-s in the model 
of Damgard and Fujisaki [DF02] . An important property of the zero-knowledge 
arguments is that the verifier cannot extract (significant) additional informa- 
tion even if he is given infinite time. This makes AoK-s more attractive than 
proofs of knowledge in applications where privacy of the arguer is paramount. A 
HVSZK argument system can be made non-interactive by using the Fiat-Shamir 
heuristic [FS86] in the random-oracle model. The converted argument is also se- 
cure against malicious verifiers. There exist alternative methods for converting 
a HVSZK argument into a a full interactive zero-knowledge argument that do 
not use random oracles. For the purpose of Fiat-Shamir heuristic, we introduce 
a random oracle H : {0, 1}* -> {0, l} 2fc . 

Integer Commitment Schemes. A secure (in the sense of being statistically 
hiding and computationally binding) integer commitment scheme C allows the 
arguer A e £A to commit to an integer to e ZZ, so that (1) for uniform and ran- 
dom ri,r 2 and any toi,TO 2 € ZZ, the distributions 6V(mi : r-i) and CV(??i 2 ; r-i) 
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are statistically close; and (2) it is intractable for A to find m i, m 2 , rq and r 2 , 
such that mi ^ TO 2 but Cjc(mi : ri) = Ck { m 2 ', T 2 ). Known integer commitment 
schemes include [FO99,DF02]; the security of both integer commitment schemes 
bases on some reasonable security assumptions that seem to be satisfied by class 
groups and a large variety of the RSA groups. We will give a description of a 
simplified Damgard-Fujisaki scheme in Appendix A. The main simplifications 
are: (a) In revealing phase, it is sufficient for the committer to send the pair 
(m, r) instead of the triple ( m,r,b ) and (b) The underlying root assumption 
is modified to have the following, simpler, form: given random y, it is hard to 
produce such ( x , d, e) that y e = x de and e is reasonably small. 

By using a secure integer commitment scheme, one can build an HVSZK 
argument system for different relations between committed integers //,; . In all 
such argument systems, arguer and verifier have to fix, for every i, an a priori 
upper bound M, to input /i, [FO99,DF02]. The argument system is guaranteed 
to have the statistical zero- knowledge property only if \p,\ < M, . Therefore, in 
such protocols the interaction length depends on log 2 M,; , and thus it is beneficial 
to precompute as precise values of M, as feasible. Certainly it must be the case 
that log 2 Mi = k°^ . Additionally, we will describe in Appendix A how to 
commit to an integer tuple (and not just to an integer). The resulting integer 
tuple commitment scheme can be used to construct more efficient arguments of 
knowledge than the Damgard-Fujisaki commitment scheme by itself. 

Diophantine Complexity. Based on the earlier work of Davis, Putnam and 
Robinson, Matiyasevich proved in 1970 [Mat70] that every recursively enumer- 
able set is Diophantine (this important result is known as the DPRM theo- 
rem), solving thus negatively Hilbert’s tenth problem from year 1900. This 
work on the Hilbert’s tenth problem has had many interesting consequences. 
See [Mat93] for a representation of main results of this work and related his- 
tory. In 1976, Adleman and Manders [AM76] proposed the next complexity- 
theoretic class D of sets: S € D iff there exists a representing polynomial 9tg, 
such that p e S 4=>- (3w)[| Si^ l = A 91 s(h',u) = 0]. Obviously, 

D C NP. On the other hand, Adleman and Manders showed that several NP- 
complete problems belong to the class D and, based on that, conjectured that 
D = NP. Their conjecture was later implicitly supported by Jones and Matiya- 
sevich [JM84] who proved that D = NP iff the set {(/xi, M2) : pi <2 M2} belongs 
to D (Here, Mi <2 M2 iff bit(Mi,i) < bit(M2,*) for every i.) and by Pollet [Pol03], 
who recently showed that when co-NLOGTIME C D then D = NP. The gap 
between co-NLOGTIME and NP is wide and thus, as expected, not much is 
known about the actual power of the class D. 

In the following, let Mj be some a priori upper bound on the length of the 
input Mi and let Wj be a similar upper bound on the witness ujj that holds when 
the lengths of the input Mi never exceed the values Mj. Let M := maxj Mi and 
W := max, W 3 : note that the value IF is a function of M and 9 15 . Since the 
number of witnesses m and the degree of the polynomial 91 s do not depend on 
the input size M, the total size of inputs to the representing polynomial will be 
<9(M + IF). Now, S £ D if for some representing polynomial 93g, IF = M°^ 
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and therefore, the Adleman-Manders conjecture says that S £ NP iff for some 
polynomial 93s, fi £ S 4=4- (3<u)[93s(/x; u>) = 0 A W = M°d)]. 

In the standard definition of Diophantine sets [Mat93] only nonnegative wit- 
nesses are admitted. The classes D and PD do not change when we modify 
their definitions to allow negative integer witnesses, since h £ S 4=> (3u>, ui' £ 
IN™) [fRs(/z; ui—Ui,... ,u) m — u)' m ) = 0]. On the other hand, if S has a represent- 
ing polynomial %K' s (h\ u>) with nonnegative witnesses, then S can be represented 
by £H's(X^=i Mi a ■ ■ • , i Mnd l w i »> ■ • • > l Mtoi); the latter follows from 

a classical theorem of Lagrange (see also Thm. 2) . For convenience, we will im- 
plicitly assume that all the variables belong to 2Z (and not to JN 0 ). 

3 Bounded Arithmetic Is in PD 

First, let us introduce a new complexity class PD that is a Diophantine analogue 
of P. Namely, we say that S £ PD iff there is a polynomial 93s £ ZZ\X\, 
such that (1) there exists an efficient witness algorithm *Ps £ £A, such that if 
/j, £ S then 93s(/r; ^Ps(m)) = 0; ( 2) if h 0 S' then for any to with |tu| = Ih] 0 ^, 
93g(/i: ui) 7^ 0. Recently, Pollett proved that all sets in L 2 belong to D [Pol03]. 
We extend this to a proof that all sets in L 2 belong to PD. 

Theorem 1. All L^-terms belong to PD, with W = M 2 ~ e for e > 0. 

Proof. To show that L 2 -terms belong to PD, we will first show that all non- 
logical basic relations of bounded arithmetic belong to PD. Thereafter, we show 
how to implement the Boolean operators that connect them by using induction 
on the structure of formulas. Clearly, the first four basic non-logical symbols (0, 
i t, +, •) have representing polynomials with no auxiliary witnesses. (For example, 
the predicate [/U 2 = ct(hi)] is represented by the polynomial 93s (/*i , /i 2 j = Hi — 
Hi — 1.) The representing polynomial for < can be constructed by using the 
representing polynomial for non-negativity, see Thm. 2. 

The Boolean operators A, V and -■ can be dealt with as follows. Let S, S' £ 
PD have representing polynomials 93s and 93g, and witness algorithms ^Ps 
and <p S '- Then 93 suS'(m; w, (J) = 93s(/x;w) • 93s'(Miw'), 93 S n S'{p\u,u') = 93 s 
( M ;u;) 2 -1 -93s>(mV) 2 and <PsuS'(m) = Vsns'(p) = (<Ps(m),^S'(m))- Therefore, if 
Si £ X then also Si U 5 2 , A’i fl Si £ X for X £ {D, PD}. One can establish that 
-cP(-) belongs to PD by induction, assuming that P(-) belongs to PD and then 
studying the case of every possible main connective of P separately. (This can 
introduce some new witnesses.) As an example, [hi ^ Hi] = [(hi < M 2 ) V (/i 2 > 
Mi)]- 

Three of the remaining operations can now be defined as [/Z3 = H\ — /i 2 ] = 
[((Mi ~ M2 = M3) A (fii > Hi)) V (H3 = 0 A Hi < M2)], [M2 = Lmi/ 2 J] = [(Mi = 
2u>i) V (hi = 2wi + 1)] and \h2 = MSP(/n,i)] = [(hi = 2 1 ■ /i 2 + w A w e 
[0,2* — 1])]. Note that only the last three operations need a nonempty witness 
u>, with W = 0(M). That [/13 = Hi 3 ] is in PD follows from Thm. 3. Finally, 
[M2 = |Mi|] = [wi = 2 M2 Aui< 2(hi + 1 ) a (hi + 1 ) < m]- Thus, [/z 3 = Hi$Hs] = 
[(wi = \hi I ) A (u >2 = |/t*2 1) A (m 3 = 2 Wl ' W2 )]. The theorem follows from Thm. 3, 
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Algorithm 1 Algorithm for computing an Lagrange representation p = u> 2 + 
+ U)%, u> <- Lagrange (p) 

1. Write p in the form p = 2 t (2k + 1), where t, k > 0. 

2. If t = 1, then 

(a) Choose random un < y/ Ji , u >2 < \J p — J\, such that exactly one of wi, a >2 is 

even. Let p -k— p — — w\. Now p = 1 (mod 4). 

(b) Hoping that p is prime, try to express p = + w% as follows: First, find a 

solution u to the equation u 2 = — 1 (mod p) . Apply the Euclidean algorithm 
to (n ,p), take the first two remainders that are less than yjp to be u >3 and w 4 . 
If p ^ + wf , p was not prime, so go back to step 2a. 

(c) Return (wi, . . . , w 4 , ) as the representation. 

3. If t is odd but not 1, find a representation (u>i,...,w 4 ). Return (son, . . . , sw 4 ), 
where s = 2^ t_1 ^ 2 . 

4. If t is even, find a representation ui\ + + a;| + u)\ for 2(2A; + 1) by step 2. Then 

convert this to a representation for (2fc + 1) as follows: Group u>i, u> 2 , 0 J 3 , w 4 so that 
uii ~ W 2 (mod 2) and u >3 = o> 4 (mod 2). Return (s(wi + W 2 ),s(wi — u> 2 ),s(u >3 + 
w 4 ), s(u )3 — ui 4 ,)), where s = 2 t,i,2_1 . 


that, together with Thm. 2, will finish this proof when we note that by induction 
on the length of formulas, all terms of L 2 have witnesses of sub-quadratic length, 
W = M 2 -^ 1 ). □ 

Next, we show that non-negativity and exponential relation have representing 
polynomials with sub-quadratic W. These results are novel in the following sense. 
First, in the proof of non-negativity we propose a slightly more efficient witness 
algorithm, compared to the prior art. Our system of Diophantine equations for 
the exponential relation, on the other hand, has substantially shorter witnesses 
compared to what was known previously for this relation [AM76]. 

Theorem 2. An integer p, can be represented as p = + wf with 

integer w* iff p > 0. Moreover, if p > 0 then the corresponding representation 
(wi,o; 2 ,u> 3 ,u; 4 ) can be computed efficiently by using Algorithm 1. 

Proof. First, no negative integer is a sum of four squares. Second, if p > 0, p can 
decomposed as JT = 1 by a well-known result of Lagrange from 1770. Rabin 
and Shallit [RS86] proposed a probabilistic polynomial-time algorithm for com- 
puting the witnesses Wj. The new Algorithm 1 is somewhat more efficient, due to 
the pairing of the Rabin-Shallit algorithm with the well-known Cornacchia algo- 
rithm from 1908 [Coh95, Section 1.5.2] that, given a prime p = 1 (mod 4), finds 
a pair (o^uq), such that p = ui '3 + . (To compare, the original Rabin-Shallit 

algorithm used the full Euclidean algorithm over Gaussian integers, while Cor- 
nacchia’s algorithm uses the partial Euclidean algorithm over integers). Finally, 
square root of —1 modulo p can be found efficiently. □ 

Exponential Relation Is in PD. For a long time, finding a representing poly- 
nomial for the exponential relation was the last open issue in the solution of 
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the Hilbert’s 10th problem [Mat93]. Matiyasevich was the first to describe an 
explicit representing polynomial for the exponential relation. Alternative poly- 
nomial were later found in [Dav73,JSWW76], but none of these polynomials is 
really practical for our purposes due to at least cubic-length witnesses. However, 
Adleman and Manders showed in 1976 [AM76] that when one allows exponen- 
tially long witnesses when x 0 S then the polynomial proposed in [MR75] can 
be modified to have sub-quadratic-length witnesses when x £ S. 

Next, we construct a new representing polynomial that is slightly more ef- 
ficient than the one in [AM76]. Our proof bases on ideas from [AM76,Mat93], 
[Rob52]. To prove our result, we use crucially the next lemma that is an analogue 
of Lemma VII from [AM76] . ( [AM76, Lemma VII] was stated for a different Lucas 
sequence, worked only when c < 2 d, and guaranteed only that either a < (2c ) d 
or a > c c .) 

Lemma 2. Let (a, b, c, d) be any integers with c > d+ 2 > 2. If [( a 2 — cab — b 2 = 
1) A (0 < a < b) A (a = d (mod c — 2))], then either ( a,b ) = (cM,cW*i) and 
a < c d -\ or (o,6) / ( c M, C I d+1 1) and a > (c-l) d + c ~ 3 . 

Proof. Let (a, b, c, d) be such integers. Since [(a 2 — cab — b 2 = 1) A (0 < a < 6)], 
then (a, b) = (c^ , cI x+1 J) for some x e JN 0 . Since eW = / (mod e — 2) for 
any e, / [Mat93], [a = d (mod c — 2)] guarantees that x = d (mod c — 2). Since 
c > d + 2, then (a, b) = (cl rf +*V-2)] , c [«H-fc(c-^)|) for some k > 0 . If x = d then 
a = < c d ~ 3 . On the other hand, if x ± d then a > C ^ d+( ~ c - 2 ^ > (c- l) d+c - 3 . 

□ 

Theorem 3. Assume p\ > 1, > 0 and fi -2 > 2. The exponential relation 

[p ,3 = Pi 2 } belongs to PD. More precisely, let E(p \,p 2 ,Pz) be the next equation: 


[(3u>l,u>2, U>3, U>4, U>5, Ws)] 

[(w 2 = WiPi — /U 2 — 1) A ( u>2 — P3 — 1 > 0)A (El — E2 ) 

(M3 — (7*1 — — Cl ) 8 = W2W3)) A (cj\ — 2 > 0)A (E3 — E4 ) 

((u>i — 2) 2 — (pi + 2)(u>i — 2)u>5 — W 5 = 1)A (-E'5) 

(uq — 2 = P 2 + a>e(pi + 2)) A (co 7 > 0) A (0)7 < u>s)A ( E6 — E8) 
(w 2 — COiU)7U)8 — 0)g = 1) A (u)7 = P2 + CJi(cJi — 2)] , ( E9 — E10) 


where “3b ” signifies a bounded quantifier in the following sense: if P 3 = p ^ 2 
then E(px, p 2 , P 3 ) is true with W = 0(p%logpi) = o(M 2 ). On the other hand, 
if p 3 ^ pf 2 then either E(pi, P 2 , P 3 ) is false, or it is true but the intermediate 
witnesses CJ 7 and cos have length f 2 (p 3 \ogp 3 ), which is equal to Q(2 M ■ M) in 
the worst case. 

(Note that 16 additional witnesses are needed in four inequalities. For the sake 
of simplicity we will not enlist all of them.) 

Proof. Denote the Ah conjuctive subformula of E by Ei. We will proceed by 
showing that the required witnesses are uq 4— (pi + 2) I^ t2 + 1 II + 2, uq a>ipi — 
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n\ - 1, w 3 «- (/x 3 ~ (Mi - wi)wf M211 - wf M2+1]l )/c<; 2 , ^4 «- (ws - M 2 )/(wi - 2), 
^5 «- (Mi + 2) 1/12+21 , w 6 (wi-2- / u 2 )/(Mi + 2), w 7 <-wf /l211 and w 8 «- wf /12+111 . 
Really, let 


B a ■= 


then 


B r a = 


'afr+11 -aW \ 
, aW -al*- 1 ! J 


for any a and r. For an uq that we will fix later, let u> 2 '■= wiHi — Hi — 1, i.e., 
assume that El holds. Then, (hi , 1) T is an eigenvector of B Ul modulo u > 2 , with 
eigenvalue /xi, since B Ul ■ (yu-i , 1) T = (uq/xi — 1,Hi) T = (/x 2 ,/x i) T = /xi • (/xi,l) T 
(mod w 2 ). Therefore, 


w IM21 1^2-1] I 


(T) = < ' (?) ' (?) (mod W2) . 


In particular, /xiwf^ — ^ = Hi 2 (mod w 2 ). Now, as soon as Hi 2 < w 2 , we 

can write [/X3 = Hi 2 ] 4=>- [£72 A (/xioxf^ — wf 112-1 ^ = /x^ 2 (mod w 2 ))]. 

One can guarantee that Hi 2 < w 2 by selecting w i, so that uq > /i(' 2_1 +pi + 2. 
To be able later to apply Lemma 2, it also must be the case that <u 2 > /x 2 +2. Since 
Hi > 1, we can choose uq ^ — (/xi + 2) + 2 > (/xi + 1)^ 2 1 + 2 > /x^ 12 + hi T 2. 

Since Hi > 0, we can invoke Lemma 2 with (a, b, c, d) = (uq — 2, u^s, Hi + 2, /x 2 ). 
Since here it suffices to show that uq — 2 = (/xi + 2)I /l2+fe/11 ]l and u>5 = (/xi + 
2j[/d2+fc/j.i+i] £ or S ome k > 0, we are done by adding two verifications (£75 and 
£76) from Lemma 2. (More precisely, here we one does not have to verify that 
uq — 2 < UI5.) 

Now, due to the choice of uq, uq > ( Hi + 2 > /x 2 + 2. Therefore, 

Lemma 2 with inputs ( a,b,c,d ) = (uq, u> 8 , uq , M2) guarantees that after doing 
the verifications (£77 — £710), one can be assured that one of the next two cases 
is true. First, (uq,ux 8 ) = (cuf^, wf M2+1 ^). Then |uq| ~ |u> 8 | « H2 ■ |uq| ~ /x 2 ■ 
l/zil < H2 ' |a*i I < l-^3| 2 < 2|M| 2 . (Note that M m /x 2 |/xi|.) Second, (uq, u> 8 ) ^ 
(u;| /l2 ^,u;f M2+1 ^), but then |uq| > |(uq — 1)“ 1-2 | m uq|uq| « /Xj* 2-1 • log 2/x^ 2-1 > 
/X3 • log 2 /J3 w 2 M • M, which is exponential in the input size. □ 

The largest ^’-function occurring in this lemma is 

W 8 = ^ 2 + l1 = '^(Mi+2)[' J 2l +2 (At2 + 1) < Z (h 1 +2)^~ 1 {H2 + 1) < (/R + 2) /l2_/l2 . 

For comparison, [AM76] used an equation system from [MR75], where the largest 
■^-function (for a different Lucas sequence ip) is V’4 ( u 2 /u(M3+ 1 )+/'?+ 2 m(l <2 + !)• 
The cases Hi € [0,1], /X3 = 0 and /x 2 £ [0,1,2] can be handled trivially, 
and therefore the exponential relation belongs to PD for any Hi ■ I- 1 2- H'i- One 
application of this theorem is that an arbitrary Turing machine can be emu- 
lated by a slightly more efficient Diophantine Turing machine than it was known 
before [AM76]. 
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4 Cryptographic Applications 

Diophantine Membership Arguments. Given a secure integer commitment 
scheme with efficient HVSZK AoK-s for additive and multiplicative relations, 
one can argue in HVSZK that any polynomial relation holds between a tuple of 
committed integers [F099]. That is, one can argue in HVSZK that p{p) = 0 for 
some fixed p £ 2Z[X\, and a committed /x £ 2Z n . 

We will expand the [F099]-methodology as follows. When S £ D and the 
arguer knows the witness, then by using an integer commitment scheme, she 
can argue in HVSZK that she knows an auxiliary (suitably chosen) witness 
u, such that 94s (/q a; ) = 0, where 94s is again the representing polynomial of 
S. This results in a what we call a Diophantine argument system AK(ci = 
Ck(P\ I'n'-Pl) A (/O ,/J n ) £ S). 

The asymptotical communication complexity of the resulting Diophantine 
argument system is 0(W + M), where the constant depends on the number of 
parameters and witnesses, but also on the degree of 94s and on the internal struc- 
ture of 94s- (For example, a Diophantine argument system for Hi +p 2 = + wf 

requires a constant times more interaction than the one for p-\ = ujj.) Thus, Dio- 
phantine argument systems with interaction M oll> exist for all S € D. In par- 
ticular, an immediate corollary of the positive solution to the Adleman-Manders 
conjecture NP = D is that every set S £ NP has a Diophantine HVSZK ar- 
gument system with communication complexity However, there are two 

practical considerations. 

First, if (say) W = M n( ‘ 2) then the resulting argument systems are asymp- 
totically too long to have immediate applications in cryptography. As we also so 
in this paper, finding representing polynomials 94s with small W is a nontrivial 
task, and it often needs breakthroughs in number theory. 

Note also that quadratic length seems to be a reasonable metering point, 
since for many interesting predicates one can build trivial quadratic-length zero- 
knowledge arguments (here and in the following, assume for the sake of simplicity 
that the input length M is larger than the security parameter k). In such AoK-s, 
one separately commits to every bit of the input, and then shows that the com- 
mitted bits satisfy some Boolean formula. An immediate corollary of Theorem 1 
is that one can build sub-quadratic-length HVSZK AoK-s for all languages from 
Z/ 2 - Therefore, our AoK-s are an improvement upon such argument systems. 

Second, if S £ D \ PD, the arguer cannot efficiently find the witness u> for 
every relevant input //. In such a case, the witness u> can be seen as a trap- 
door information. However, this case is still relevant in certain cryptographic 
applications. For example, the relation [ “// is composite”] = [pxq , y -2 < p)[p = 
2/12/2 A 3 /i > 1 A 2/2 > 1]] does not have a witness algorithm, given that factoring 
is hard. (The resulting argument system that a committed number is composite 
can be compared to a more complex protocol by Poupard and Stern [PS00].) In 
particular this means that D / PD, unless factoring is easy. 

Note that to apply the previously described methodology, one needs to both 
encrypt and commit all messages. Additionally, one needs to argue that that en- 
crypted and committed messages are equal. This can be done straightforwardly 
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by using standard cryptographic tools. We finish the paper with concrete appli- 
cations and protocols. There are definitely more applications than we mention 
in the following. In particular, our methodology is not limited to the outsourcing 
model. 

Example: Efficient Range Proofs. A cryptographically important argument 
system for JN 0 (a partial list of potential applications to this argument sys- 
tem can be found in [BouOO], it includes electronic cash systems, verifiable en- 
cryption, group signatures, publicly verifiable secret sharing schemes and other 
zero-knowledge protocols; more applications can be found in [LAN02] and in the 
current paper) can be based on Theorem 2. Briefly, during this argument system, 
the arguer first represents fia s /z = u\ + + wf + u)\ (here, u = (uq, . . . , uq) 

is the witness). After that, she argues in HVSZK that she knows such a rep- 
resentation. Our argument system bases on the new integer tuple commitment 
scheme. The full argument system is described in Appendix B. A non- interactive 
version of such argument system is « 1700 bytes long for realistic security pa- 
rameters. This is slightly shorter than Boudot’s argument system [BouOO] for the 
same problem. Additionally, our argument system is perfectly complete, while 
Boudot’s argument system is not. A nice demonstration of the usefulness of the 
new integer tuple commitment scheme (presented in Appendix A) is the fact 
that this argument system has only « 1.9 times larger non-interactive argument 
than the original multiplication proof of Damgard and Fujisaki; this is achieved 
by doing four squarings in parallel. 

Outsourcing Model. A general setting in many cryptographic protocols (like 
voting and auctions [LAN02]) involves a set of participants, an authority and pos- 
sibly an impartial third party. The participants make social or financial choices 
{ Vi }, encode them as (enc(uj)} by using some encoding function enc, and then 
encrypt the resulting encodings by using a homomorphic public-key cryptosys- 
tem and third party’s public key, and send the results, together with an HVSZK 
argument of correctness, to the authority. (Of course, we assume that all the 
steps are authenticated.) The authority multiplies the ciphertexts and sends the 
product n i E K (er\Ci(vi)) = ExCjZ, enc ( t ’i)) to the third party. The third party 
decrypts the result, obtains the sum JV enc(u, : ) and applies a decoding function 
dec to obtain the vector e = (. . . , ej, . . . ), where ej can for example be the num- 
ber of voters whose choice was j. The third party applies some function final to e, 
and sends final(e) to the authority together with an zero-knowledge argument of 
correctness that final(e) was correctly computed. The authority then broadcasts 
final(e) and the argument of correctness to all participants. 

As an example, final could be an identity function. Then this model will 
implement a common voting process with an accountable third party. If final(e) = 
jo where e JO = max ej , one could implement voting with minimal information 
disclosure. Namely, the authority would only get to know the name of the winner. 
To the best of our knowledge, there are no such efficient prior art voting schemes. 
One can also implement the ( b+ l)st-price auctions by choosing final(e) = j 0 , 
where jo is the ( b+ l)st largest social choice [LAN02]. (This includes Vickrey 
auctions, for example.) 
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In general, the “outsourcing” model enables one to construct secure and 
extremely efficient voting (or auction) schemes with the only drawback that the 
third party (but only she) will get to know the value of e. In particular, this 
enables one to avoid threshold trust. See [LAN02] for a discussion why at least 
in the auction scenario, the information leakage to the authority does not matter 
but the property of not using threshold trust does. In the most common in the 
real-world voting scenario, the vector e is meant to be leaked. Moreover, even 
in the nation-wide elections, one does not really want to have threshold trust 
between computers. Instead, it seems to be desirable — as show discussions with 
the members of electorate committees — that the encoded and encrypted vector 
e can be decrypted by using a single hardware-protected private key that can be 
used only by the presence of several trusted entities and independent experts, 
and will be destroyed as soon as some allocated period at the end of elections 
(and all election-related legal discussions) have ended. 

Now, final can be any function for which the predicate [y = final(tc)] belongs 
to PD. As we have shown, extremely efficient arguments are available when 
final £ Z/ 2 - It is not known how to implement as efficiently so many different 
schemes for such a broad variety of functions final in the model that involves 
threshold trust but no third party like in [CGS97,DJ01]. In particular, no really 
efficient ( b + l)st-price auctions are known in the threshold trust scenario. 

Efficient Range Arguments in Exponents. The costliest part of the other- 
wise efficient Damgard-Jurik voting protocol from [DJ01] involves an argument 
for AK(y = Ek{z nc(/z)) A p, £ [0,/i]) that is necessary to show that the votes 
were encoded properly. We call this argument a range argument in exponents 
(RAIE). An RAIE is also necessary in the auction protocol of [LAN02], both to 
show that the bids were encoded correctly, and that the authority returns the 
correct value of final(e). The proposed AoK-s from [DJ01,LAN02] have interac- 
tion 6>(max(fc, m • log a) ■ log rn)0(m ■ log a ■ log to), where a is an a priori fixed 
upper bound to the number of participants, and to is the number of possible 
social choices. (This follows from [LAN02, Section 8], when we assume that the 
security parameter is approximately equal to to logo.) 

The most efficient known RAIE [LAN02] has enc(/i) := (nextprime(o)) /i 
(where nextprime(a) is the smallest prime > a) and results in a HVSZK AoK 
with interaction length 0(m ■ logo). We propose two different RAIE-s that do 
not require computing the nextprime function. The first approach sets enc(/j) := 
Z a (n + 1), where Z a (p) is the /xth element in the familiar Lucas sequence, and 
results in a HVSZK AoK with interaction length 0(rn ■ logo). Application of 
Z instead of the exponentiation enables us to improve over the communication 
efficiency of the Damgard-Jurik multi-candidate voting scheme [DJ01] and over 
the Lipmaa-Asokan-Niemi ( b + l)st-price auction scheme [LAN02] by a factor 
of <9 (log rn). Finally, we propose a Diophantine RAIE with enc(/i) := a 1 ' and 
interaction 0(W + M ) = <9(M 2_e ) = 0((m ■ log o) 2_e ). 

First Approach: Lucas Sequences. The function = Z a (n) is a suitable 
replacement for exponentiation in the sense, intended in [DJ01,LAN02], since 
( a — 1)” < Z a (n) < a n whenever a > 2 (This makes the constants ej in the 
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sum J2i=i Za+i{vi) = e jZa+i{j) unambiguous whenever u* e [1 ,h], and 
thus makes it possible to uniquely recover the vector e from enc(e,). However, 
we must make the plausible assumption that a > 2, for a = 2 one has to use 
another approach.), and that Z a (ri) can be computed in time O(logn). Most 
importantly, one can very efficiently argue that the committed number /i belongs 
to the set {al n l : n > 0 A n = k° (li } by using the representing polynomial 
w) = oj 2 — a/ioj — fj, 2 — 1. This must be accompanied by an AoK that 
H £ [ l,h ]. The length of a non-interactive version of this argument is ffc 1200 
bytes for realistic security parameters. A minor drawback of this solution is 
that computing Z a (n) requires about twice more resources than computing of 
a n without the function nextprime. (Also, in some solutions one cannot readily 
substitute exponentiation with the function Z.) Note also that Z a (n) is not the 
unique Lucas sequence that satisfies all these conditions. 

Second Approach. Here, one would have enc(n) = a n , as in [DJ01,LAN02]. 
The argument system from Thm. 2 is usually not more communication-efficient 
than the protocols from [DJ01,LAN02], however, it is constant-round, which 
may have advantages in some concrete applications. (Precise analysis omitted 
due to the space constraints. Note that here we have the relation [/j ,2 = o/ l ‘ ] for 
a constant a, that allows us to improve on Thm. 3.) 
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Efficient Diophantine membership arguments can be given for many inter- 
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We hope that this paper stimulates the research both in finding more efficient 
representing polynomials for concrete sets S but also in giving a (positive or 
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A Extensions to Damgard-Fujisaki Integer 
Commitment Scheme 

Let Gen £ £A be a group generation algorithm that on the input l k outputs 
the description descr(£?) of a finite Abelian group Q. Apart from the usual as- 
sumptions (given D £ E*, it is easy to verify that D £ Gen{l k ), easy to verify 
whether some p belongs to Q for which D = descr(^), and easy to perform 
group operations in Q for which D = descr(^)), we require a few additional 
assumptions. 

First, one assumes that while the arguer knows a reasonably close upper 
bound 2 s > ord(£?) to the order of Q, B = Bg, he does not know the order 
itself. Let £(k) be polynomial in k. Another large number F = F(k) is chosen, 
such that it is still feasible to factor numbers that are smaller than F(k). Say, 
F(k) = 0(k iogk ). (In our calculations we will take F(k) = 2 80 when k = 1024.) 
Based on the fundamental theorem of finite Abelian groups, one can write Q as 
Q = U x H, where the order of U has only prime factors at most F(k) (we call 
such numbers F(fc)-smooth) and the order of H has prime factors larger than 
F(k) (we call such numbers F(fc)-rough). 

Let 1(G) := \U\. Then £(G) is F(fc)-smooth. It is assumed that (1) £(Q) < 
£(k) and that descr(^) includes 1(G): (2) for any string /i it can be decided on 
polynomial time, based on (x, descr(£/)), whether x represents an element in G- 
Finally, it is assumed that the next strong divisible root assumption holds: given 
a random G <— Gen(l k ) and y <— G, it is hard to produce such (x, d, e) that 
y e = x de and e < £(G)- The probability is taken over the coin tosses of Gen and 
of the adversary. Note that this assumption is an equivalent but simpler version 
of the root assumption from [DF02] . 

It was shown in [DF02] that G can be chosen as 7Z n for RSA modulus n = pq, 
such that gc:d(p — l,q — 1) = 2, p — 1 and q — 1 do not have too many small 
factors, and the strong RSA assumption holds. However, when the RSA group 
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7Z* n is used, one must additionally assume that the arguer does not know the 
value <p(n). This may achieved, for example, when the verifier creates n and 
keeps its factorisation secret. 

Commitment Scheme. During the setup phase of Damgard-Fujisaki integer 
commitment scheme, A and V agree on the group Q and on a large integer F(k). 
Verifier V chooses a random element h £ Q (which by the group assumptions 
has a F(fc)-rough order [DF02] with an overwhelming probability. To make the 
order certainly F(fc)-rough, one might raise a random element to the power 
£(£?).) and a random secret key s G 2Z 2 B+k . V sets g <— h s . Verifier V sends 
the public key K = (g: h) to A and then proves in SZK that g G (h). Let Ccom 
denote the commitment space of the used integer commitment scheme (in this 
concrete case, Ccom = G). When committing tome 7Z . A chooses a random 
r ZZ. 2 B+k and sends Ck(to; r) := g m h r to V. To open a commitment c, A 
sends to V a triple (to, r, b), such that c = Cx(m;r) ■ b and b e ^) = l. (For an 
explanation of the role of b in the opening phase, see [DF02].) Alternatively, A 
can send only (to, r) to V who then verifies that = Cjy(fn; . Clearly, 
this alternative is equivalent to the Damgard-Fujisaki commitment scheme in 
security. (The proof of this is trivial: if = Cx (to; r'f'F) then V can compute 
b as b <— c ■ Cxim; r) -1 . Clearly, b e ^ = 1 and c = Ck (to; r) • b. On the other 
hand, given b with b 1 ^ = 1 and c = Cxim; r ) • b, clearly c = Cx{m-, 


Integer Tuple Commitment Scheme. We now sketch an extension to the 
Damgard-Fujisaki commitment scheme that allows to simultaneously commit 
to a tuple of integers. As in the Damgard-Fujisaki commitment scheme, the 
arguer and verifier initially agree on a group Q, and then verifier creates a 
random element h G Q. Additionally, the verifier will choose to random ele- 
ments Si ■<— [0,2 s+fc ], where B is a security parameter [DF02], set <— h Si 
and send the values gi to the verifier. Apart from that, arguer A and verifier V 
follow the same initialisation rules as in the Damgard-Fujisaki scheme. A tuple 
{ill , . . . , g n ) £ 7Z n is committed by drawing a random integer p <— [0, 2 B+k ] and 
then setting the commitment to CxijM ■ . . . , ji n ; p) := (II”-,.#) • h p . During the 
opening phase, A sends the tuple (pi , . . . , p n : p) to V, and the verifier checks that 
c ^(6) = Cx(p i, • • • , p n \ pY {S \ where £(G) is another security parameter [DF02]. 
(Equivalently, A can send the tuple (pi , . . . , p n \ p\ b), and the verifier checks that 
c = Cx(pi, • • • , Pn'i P ) • b and that b = 1.) 

It is straightforward to show that the security of the Damgard-Fujisaki integer 
commitment scheme and the security of the the sketched extension (that we call 
the RDF integer commitment scheme) are equivalent, given that the arguer does 
not know the mutual discrete logarithms of elements gi. As a simple corollary, 
we can use the RDF integer commitment scheme C to build HVSZK AoK-s of 
type AK(- ■ ■ Ay = C K (pi, ■ ■ ■ • p n \p) A . . . ). 

The RDF integer commitment scheme can be used to speed up the efficiency 
of many argument systems, by enabling one to prove several multiplicative or 
additive relations at once [Bra97]. (In contrast, without using the RDF scheme, 
a separate protocol must be used for every polynomial relation.) That is, such 
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Protocol 1 Computationally sound HVSZK argument system for the set of 
nonnegative integers. 

1. Arguer A represents y as W1+W2+W3+W4, using the algorithm from Theorem 2. For 

* € [1, 4], A chooses random m <— Z 2 B+k such that JT ru = p\ A chooses random 
mu «- ru 3* Z 2 B+2k F ( k) and lets ci< 4- Ck^u^tu)- She also 

chooses a random 7-3 4— Z 2 B+2k F ^ M i/2 and lets ci 4— C K '{m\i, ..., mi4; JV 7-27), 
C3 4— . . . ,mi4; i’:i)- Arguer sends (di, C12, C13, 014,02,03) to V. 

2. V generates a random e 4— & F ( k ) and sends it to A. 

3. A computes 77121 = mu+eaji, ru 4— r2i+e^rn, * E [1,4], and 05 4— 7’3 + e^) i (l — 
tpi^ru. A sends (m21, m22, m23, 77724, 7311, 7312, 7313, 7\i4, T's) to V. 

4. V checks that \\ i {CK(rn2i\ ru) ■ = 02 and (rii = i c u 2i ) • h r 5 c~ e = 03. 


combined arguments enable one to argue in parallel that /\ t yi = p(pa , . . . , p ln ) 
for polynomially many instances of any polynomial p. 

As an example, one can construct an argument for the multiplicative relation 
AK(y = Ck{pi, P 2, P1P2', p)), K = (51,52,53; h), that is approximately 20 % 
shorter than the argument from [DF 02 ] when using the same security parameters. 
The argument is based on the idea that y = Ck(pi, P2, P3', p) with 53 = 5-1 52 
iff A knows such a ci that ci = Cki{pv P2) and y = Ck 2 {pi, P2', P3), where 
K 2 = (51,5201; h). (This holds except with a negligible probability.) 

The RDF integer tuple commitment scheme exhibits the next public-key ho- 
momorphicity property , the use of which makes many AoK-s more efficient: if 
K = (51, . . . , 5„; h) and K' = (J^ 9 i U • h ri , . . . , fli 5“ ni • h rn ; h) then 

C K , = Ck(J2 E 3 ^- E ^ + r ) • 


B Argument System for Non-negativity 

Theorem 4 . Let C be the RDF integer tuple commitment scheme, let k be the 
security parameter and let log 2 M = fc°G). Let K = (5; h ) be the public key. Pro- 
tocol 1 is a perfectly complete AoK for AK(c = Cif( JT =1 p)), or equivalently, 
for AK(c = Ck{p) A p > 0 ). If p < M then Protocol 1 is HVSZK. 

Proof. Proof idea: show that y = C K (J 2 vf) A /\ (c* = C K {oJi) t\v i = uf ) , where 
all four AoK-s a = Ck{wi) A Ui = uf are done in parallel. 

Completeness. c~ e ■ n*=i C K (m2i', u f) = Y^ i=l {C K ( m i* + ea V r 2* + er u ) • 
C K (-eu>i; -em)) = IIi=i C k ( mu; r 2 i) = c 2 and rii c ii 2i ’ h r 5 c~ e = ILc™ 1 ' • 
II iiCKfairu)) 6 ”* ■ h r3+e 'Zi ( - 1 ~ Ui '> rii ■ C K (-e'J2i^i;-ep) = Tli 0 ™™ ' h;r3 = c 3- 
HVSZK. The simulator acts as follows. For i e [1,4], generate du 4— Cc 0 m , 
rfi2i 4— ZZ 2 F(k)M- For i € [1,4], generate fu 4— ^ 2 B + 2fc E(fc)- Generate e 4— 
&F(k)> h ^2 B + 2 *F(k)M- Let 62 -f- rii=i CK{fh2i\fii)cff. Let C3 4— rLe™ 21 ’ 

h r 5 c~ e . The resulting view ((cij)j, c 2 , C3; e; ( fri2i)i , (^4*)*, fs) is accepting and has 
a distribution, statistically close to the distribution of views in a real execution. 
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To prove that this protocol is specially sound, we must show that from two ac- 
cepting views, ((ci)j, c 2 , c 3 ; e; (m 2 ,)i, (r 4i )i, r 5 ) and ((cu);, c 2 , c 3 ; e'; (m 2i )i, (r^)*, 
r' 5 j with e 7^ e', one can efficiently find a tuple ((tUj)j,p), such that c = Ck 
(E w o/ ) ))' This can be proven as follows. Given such views, nLi CW( TO 2* — 

m 2 i'i r 4* — r 4 i) = nti c ii~ e an d Eli Ci™ 2 ’ m2 ^ ‘ ^ r5_r5 = c e ~ e . Assuming K' = 
(cn, . . . , C14; h), this is equivalent to Ck'(to 2 1 — rn 21 , . . . , rn 24 — m 24 ; n — r 3 ) = 
c e e . By the generalisation of Lemma 1 from [DF02] and by |e — e'\ £ 7Z F(k)> 
there exists a verifier V* who together with the arguer A can break the strong 
divisible root problem with a high probability. □ 

Non-interactive version of this argument system is 

(( cu)i',e mod fc; (m 2 j,r 4 j)^ =1 ,r5), 
where the verifier checks that 

e = H(c n , . . . ,ci 4 , {C K (m 2i -, r 2 j)c^ e )^ =1 , c _e • h rb ) (mod 2 fc ). 

The length of non-interactive argument system is 4\Cc 0 m\ + k + 4 (B + 3fc + 
2 log 2 F(k) + \ log 2 M) + B + 2k + log 2 F(k) + \ log 2 M = 4096 + 80 + 4 • (1024 + 
240+160) + 1024-1-160-1-80-1- § log 2 M = 11136+ § log 2 M bits or 1392+^log 2 M 
bytes. 

One can parallelise this argument system even more. Namely, to prove that 
y = C K {n\p), it suffices to prove that c* = C K (+; n*) and y = (n( c *) w ’') (<?») 
h rw , where no +- p — r 41 — • • • — rf 4 . 
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Abstract. We describe slightly modified version (that we call the HOT 
protocol) of the Aiello-Ishai-Reingold oblivious transfer protocol from 
Eurocrypt 2001. In particular, the HOT protocol will be what we call 
weakly secure when coupled with many different homomorphic semanti- 
cally secure public-key cryptosystems. Based on the HOT protocol, we 
construct an efficient verifiable oblivious transfer protocol and an efficient 
verifiable private equality test. As a concrete application of our results, 
we propose a novel protocol called proxy verifiable private equality test, 
and apply it to a cryptographic auction scheme to improve its security. 

Keywords: cryptographic auctions, homomorphic encryption, verifiable 
oblivious transfer, verifiable private equality test. 


1 Introduction 

In a two-party (") -oblivious transfer (OT) protocol the chooser receives a chosen 
single input from the database of n items, without the sender getting to know 
which element was retrieved. We first present a concise proof that a slightly 
modified version (that we call the homomorphic oblivious transfer or the HOT 
protocol) of the (")-OT protocol of [AIR01] is perfectly sender-private iff for all 
possible private keys x of the used homomorphic semantically secure public-key 
cryptosystem, the corresponding plaintext space is a cyclic group of prime order 
M. Additionally, we show that the HOT protocol is computationally sender- 
private when M is composite but hard to factor by the chooser. This makes it 
possible to use the recent Damgard-Jurik cryptosystem [DJ03] in this context. 

We then also introduce another security notion for oblivious transfer pro- 
tocols, weak sender-privacy , that is sufficient whenever the oblivious transfer 
protocol does not have to be chooser- verifiable. Intuitively, a protocol is weakly 
sender-private if the chooser will never obtain information about more than 
one item from the database; however, the Chooser can still obtain information 
about a single item of the database even if his input to the protocol is out 
of the bounds. We show that the (")-HOT protocol is weakly sender-private 
whenever M n(x) is a residue class ring with <P(M) > n, where <Z>(M) is the 
smallest prime divisor of M. A weakly sender-private (")-HOT protocol can 

C.S. Laih (Ed.): ASIACRYPT 2003, LNCS 2894, pp. 416-433, 2003. 
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be made sender-private by accompanying it with a zero-knowledge argument 
that chooser’s input was in the correct range. In this case, some suitable homo- 
morphic cryptosystems are [El 84,Pai99,DJ01,DJ03], and possibly [NS98,OU98]. 
Therefore, the (")-HOT protocol can be based on different hardness assumptions 
(like the DCRA assumption of Paillier [Pai99]), made to work efficiently with 
long strings (in the case of Damgard-Jurik cryptosystems [DJ01,DJ03]), and 
efficiently thresholded (in the case of [El 84,DJ03]). 

In a verifiable (also known as “committed” [CvdGT95,CD97,CC00]) oblivious 
transfer protocol, the chooser obtains sender’s commitment to every database el- 
ement and can later verify if these elements were equal to some other elements, 
used in other parts of the higher-level protocol. In the new verifiable homo- 
morphic oblivious transfer protocol (Protocol 2), the chooser and the sender 
execute the HOT protocol so that the chooser obtains the random number 
that was used by the sender to commit to the chosen database element. Se- 
curity of the verifiable HOT protocol depends additionally on the security of the 
employed homomorphic commitment scheme T, and on a simple relation be- 
tween the sizes of plaintext spaces of 77 and In particular, the verifiable HOT 
protocol based on the ElGamal cryptosystem and on the CGHN commitment 
scheme [CGHN01] is perfectly sender-private (unlike the recent slightly less effi- 
cient verifiable oblivious transfer protocol of [AJL03] that offers only statistical 
sender-privacy), and allows efficient reconstruction of the transmitted data item 
(unlike, again, [AJL03]). 

After that, we show how to use the ideas, developed while constructing the 
HOT and the verifiable HOT protocols, in another context. Private equality test 
(PET) [FNW96,NP99,BST01] (let the Chooser to know whether the private in- 
puts Wcho and W'sen of the Chooser and the Sender are equal without leaking any 
other information) is yet another widely used cryptographic protocol. We pro- 
pose a new two-round homomorphic PET (HPET) protocol that is very similar to 
the (")-HOT protocol. Previously known PET protocols [FNW96,NP99,BST01] 
were significantly less efficient. The HPET protocol is perfectly sender-private, 
when based on a homomorphic semantically secure public-key cryptosystem with 
a prime M like the ElGamal [El 84]. Computational privacy is achieved when 
the decrypter cannot factor M [DJ03]. As with the HOT protocol, we show how 
to make the HPET protocol verifiable, although the concrete technique for this 
will be different. 

Finally, we propose a novel application for the new verifiable HPET proto- 
col. Namely, we show that it can be generalised to the proxy verifiable HPET 
protocol and then use the latter to increase the security of the probably most ef- 
ficient currently known ((6+ l)st-price sealed-bid) cryptographic auction scheme 
without threshold trust by Lipmaa, Asokan and Niemi [LAN02]. More precisely, 
we show how to make the payment enforcement phase of [LAN02] more secure 
by not revealing the contract price either to the bidders or to the seller, be- 
fore all the bidders have shown by using the proxy verifiable HPET protocol 
whether their bid was equal to the (yet unknown to them) value of the highest 
bid. We hope to see more applications of the proxy verifiable HPET protocol in 
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the future, especially since to the best of our knowledge, no efficient proxy PET 
protocols were known previously at all. 

All the proofs in this paper are slightly simplified due to the lack of space. 


Road-Map. We start the paper by describing cryptographic building blocks 
(Section 2). Section 3 defines some properties of the public-key cryptosystems 
that we need later. Our main contribution starts with Section 4, where we pro- 
pose the new oblivious transfer protocols and prove their security. In Section 5, 
we describe a new private equality test protocol, together with some exten- 
sions. Finally, in Section 6 we propose some applications of the new protocols. 
In particular, we demonstrate how to use the proxy verifiable PET protocol in 
auctions. 

2 Preliminaries and Cryptographic Building Blocks 

Throughout this paper, let k be the security parameter. We assume that the 
reader knows standard complexity-theoretic notions like negligibility and proba- 
bilistic polynomial time (PPT); we take the latter to be equivalent to “efficiently 
computable” . For a positive integer x, let A(x) denote the smallest prime divisor 
of x. Let ip(x) be the Euler’s totient function of x. Recall that if x = \\ i p c i i for 
different primes Pi then ip{ x) = x ■ — 1 /Pi)- 

For a distribution (random variable) X, let x X denote the assignment of x 
according to X. We often identify sets with the uniform distributions on them, 
and algorithms with their output distributions, assuming that the algorithm 
that outputs this distribution is clear from the context or just straightforward 
to construct. The statistical difference of two distributions X and Y over the 
discrete support U is defined as A (X||T) := maxscc/ 1 Pr[X gS] - Pr [Y e S]|. 


Homomorphic Semantically-Secure Cryptosystems. Let II = ( Qn,E,D ) 
be a public-key cryptosystem, where Qn is the key generation algorithm Qn : 
l k i-)- ( x,K ), E is the encryption algorithm Ek : (ro;r) i->- Epc(m: r) and D 
is the decryption algorithm Dk '■ c >->■ Dk(c). Assume that for every possible 
private key x, the corresponding message space Mn(x) is an Abelian group with 
the group operation +, and that the corresponding ciphertext space C n (x) is a 
Abelian group with the group operation •. We denote the space of random coins 
by TZn(x). (In particular, this notation indicates that Mn{x), IZn(x) and Cn(x) 
might be unknown to the encrypter, although this is usually not the case.) 

We say that II is homomorphic, if -Etc (mi; rq) ■ EKirni',^) = Ex(mi + 
rn- 2 : rq or 2 ) for some deterministic binary operation o : lZn(x) 2 — >• 1Zn(x). Then 
£’^-(m; r) s = E^{rn s : rf e (r, s)) for another deterministic mapping rf e . Given that 
rf e (r, s + 1) = rf e (r, s) or, we will denote rf e (r, s ) by r s . 

For an algorithm A, define Adv^(A) := |Pr[(ar, JC) <— Sjj(l k ), (mo, m\) <— 
A(l k , K),r <- Hn(x),b <- [0, 1 ], c <- E K (mb; r) : A( l k , K,rrio, mi, c) = 6] — 1 1 
to be the advantage that A has over random guessing when trying to distinguish 
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random encryption of two elements, chosen by herself. We say that II is seman- 
tically secure if for all PPT algorithms A, Adv^™ ( A) is negligible in k. This 
definition is polynomially equivalent to other common definitions of semantical 
security. 

A classical example of an homomorphic semantically secure public-key cryp- 
tosystem is the ElGamal public- key cryptosystem [El 84] with Exi'rn: r) = (m/i r ; 
< 7 r ); it works over any family of multiplicative groups where the Decisional Diffie- 
Hellman Assumption is true. In particular, M. n (x) may be a subgroup of Z*, 
generated by an element of order q, where p and q are primes such that q \ {p—l). 
In another important case, Mn{x) is a prime-order subgroup of a suitable elliptic 
curve group. Another example of an homomorphic semantically secure public-key 
cryptosystem is the Paillier public-key cryptosystem [Pai99] , where as modified 
by [CGHN01,DJ01], E K (m; r) = (1 + mN)r N mod N 2 for N = pq, M n (x) = 
Zjv and IZn(x) = Here, Ex(mi;ri) • Ex(m 2 ;r 2 ) = JT^). 

Homomorphic Commitment Schemes. In a commitment scheme r = ( Qr , 
C), the committer sends an element to 4— Mr(x) of the plaintext space to the re- 
ceiver in a committed form, c 4— GV(to: r), where ( x , K) is generated by £/r( l fc ) 
and r 4— TZr(x). We denote the commitment space of T by Cr(x'). In the context 
of our paper, all commitment schemes are required to be perfectly (or at least 
statistically) hiding and computationally binding. More precisely, for an algo- 
rithm A, define Adv^(A) := |Pr[(aq If) 4— ^j-(l fc ), (m 0 , »ni) 4— A(l k ,K),r 4— 
Hr(x),b 4— [0,1], c 4— Cif(TOb;r) : A(l k ,K, too,toi,c) = b] — \\ to be the ad- 
vantage that A has over random guessing when trying to distinguish random 
commitments of two elements, chosen by herself. We say that r is statistically 
hiding if for all (not necessarily PPT) algorithms A, Adv^(A) is negligible in 
k. We allow f to be a trapdoor commitment scheme. That is, if A has access 
to the secret key x, she can break the binding property. T is homomorphic if 
for any (mi, m 2 , rq, r 2 ), Cif(mi; tt)Cj{-(to 2 ; r^) = C K {mr L -A'm 2 : n or 2 ) for some 
binary operator o. We will sometimes assume that lZr{x) has a unit element 1. 

In the Pedersen commitment scheme [Ped91], the setting is the same as in 
the ElGamal public-key cryptosystem, and Gx(TO;r) := g"'h T for r G 7 Zr(x). 
In the CGHN [CGHN01] trapdoor commitment scheme, N = pq, Cxim, A s) = 
(1 + mN)r N h s mod N 2 , where h = a N (l + /3N) mod N 2 for random a 4— h* N 
and /3 4— Zjv \ {0}, r 4— Z* N and s 4— Z N . Then G^(toi; rq, si)Ck (TO 2 ; r 2 , S 2 ) = 
C K (in i + m-,: C| /* 2 . .S] ~.s 2 ). 


(”)-Oblivious Transfer. During an (") -oblivious transfer protocol, the chooser 
receives precisely one, chosen by himself, item from the database p = (pi , . . . , 
p n ) of n items, maintained by the sender. The sender does not get to know 
which item was transferred. In the general case, the index i in pi does not 
have to be an integer (indeed, we will not require it in the following), it is 
sufficient that different elements of p are indexed by different elements of some 
set I = {1\ , . . . , T ri ). However, for the sake of simplicity we will denote the ith 
element of the database by pi (and not by pi,). 
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Importantly, most of the cryptography can be based on the oblivious trans- 
fer [Kil88] . Additionally, efficient oblivious transfer is necessary, since oblivious 
transfer is often the most expensive part of cryptographic protocols. An ex- 
ample is Yao’s two-party computation model, where the proxy oblivious trans- 
fer [NPS99] is the only sub-protocol that requires public-key operations. 

The security of an (information-theoretically sender-private) (") -oblivious 
transfer protocol is usually defined in two parts. We will follow the definitions 
of [NP01, Section 2.1.1]. (It is possible to switch the security requirements so 
as to require information-theoretical chooser-privacy and computational sender- 
privacy, but corresponding protocols will be out of the scope of this paper. See, 
e.g., [Tze02].) 

Denote a run of interactive protocol between A who has private input a and 
random tape r a and between B who has private input b and a random tape 
H as (A,B)[a,r a -,b,rb\- As usually, define Cho’s view viewcho [cr, rcho! A*, ^Sen] in 
the oblivious transfer protocol (Cho, Sen) [cr, rchoi Ab r Sen] as the concatenation of 
its private input cr, random tape r'cho; the protocol transcript, and its private 
output p„- The view of Sen is defined dually. 

Computational Chooser-Privacy: For an algorithm A executing the sender’s 
part in the oblivious transfer protocol (Cho, A) [cr, r'cho ; P, ta\, define Adv^^A) 
:= Pr[(cr 0 , cri,p') <- A(l k ,p,r A ),b <- [0,1] : A(l k , p, r A , view^oT), r C h 0 ; A*', 
r^]) = b'] to be the probability that after observing an execution of the pro- 
tocol (Cho, A)[ob, rcho! ATSen], A can predict which of the two possible choices 
cto and cti was used by the chooser. We call an oblivious transfer protocol ( compu- 
tationally) chooser-private if Adv]? h c 0 °.(A) is negligible for any PPT algorithm A. 
Statistical Sender-Privacy: We make the comparison to the ideal implementation, 
using a trusted third party that receives p from the sender, receives o from the 
chooser, and tells the chooser p a . We assume that p a is garbage (i.e., a random 
value from some /^-independent set T) if cr 0 X. 

We define the security by showing that for every algorithm A, one can define a 
simulator S that, given only private input cr, random tape r A , and private output 
p a of A, generates output that is statistically indistinguishable from the view of 
A that reacts with the honest sender Sen. More precisely, for a sender Sen and an 
algorithm S, define Adv^^A, S) := A (5(1*, cr, r A , /x CT )||view^[cr, r A ; P, ^Sen])- 
We say that the oblivious transfer protocol is statistically sender-private if for 
every (not necessarily PPT) A there exists a (not necessarily PPT) S, such 
that Advsg S n ei J.(A, S) is negligible in k. As usually, sender-privacy is perfect when 
Adv^ 6 " (A, S) = 0. 

As argued, e.g., in [NP01, Section 2.1.2], an oblivious transfer protocol does 
not have to guarantee the correctness (even if Cho is honest but Sen is not, Cho 
will still receive Sen’s input pa). Following this convention, also we will leave it 
up to the application protocols to provide security in this sense. 

The next (") -oblivious transfer (OT) protocol by Aiello, Ishai and Rein- 
gold [AIR01] provides perfect sender-privacy and computational chooser-privacy. 
Assume that II = ( Q n ,E,D ) is an homomorphic semantically secure public- 
key cryptosystem that works over a plaintext space Z M of prime order M = 
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\Mn(x)\. The sender Sen has a vector /x = (/xi , . . . , /x n ) £ The chooser 
Cho has made a choice a. The AIR protocol works as follows: (a) Cho gener- 
ates a secret/public key pair (x,K) £- f/jj(l fe ). Cho generates a random coin 
r <— lZn{x) and computes c <— E K (a;r). He sends (K, c) to Sen. (b) Sen per- 
forms the following, for i £ [l,n]: Generate random (r,;, Si) 1Zn(x) x M. n (x). 
Compute Cj 4— E K {Hi\ 0) • (c • E K (—i;0)) Si ■ E K (0;ri). Send c* to Cho. (c) Cho 
obtains /x CT <— Dk(cct). As a consequence, the AIR protocol requires n online 
encryptions by the sender. A similar but slightly less efficient (")-OT protocol 
was independently proposed by Naor and Pinkas [NP01, Section 4.1]. 

Often one needs a (") -oblivious transfer protocol to be sender-verifiable (also 
known as “committed”) in the next sense [CvdGT95,CD97,AJL03]: after the 
oblivious transfer protocol, the chooser obtains sender’s commitment c* to ev- 
ery database element that can be later used in various zero-knowledge proofs or 
arguments. Recently, Ambainis, Jakobsson and Lipmaa proposed probably the 
first two-round verifiable oblivious transfer protocol [A JL03] ; their protocol was 
based on decoupling the Naor-Pinkas oblivious transfer protocol and the Peder- 
sen commitment scheme. Briefly, the Naor-Pinkas protocol uses a sub-protocol 
to recover a key that was used to encrypt the database element. The Ambainis- 
Jakobsson-Lipmaa (AJL) protocol uses the same sub-protocol to recover a nonce 
that was used to commit to the database element. 

Private Equality Test. At the end of the private equality test (PET, also 
known as “comparing information without leaking it” or “socialist millionaires’s 
problem”) protocol, the Chooser Cho gets to know whether Sender’s input Ws en 
equals to that of the Chooser, 1-Tcho- Cho will not get to know anything else 
about Wsen, while Sen should not have any private output at all. Exactly as 
in the case of oblivious transfer, the security is divided into statistical sender- 
privacy and computational chooser-privacy. The security definitions are standard 
and we omit them due to the space constraints. 

Previously proposed PET protocols [FNW96,NP99,BST01] had an extra em- 
phasis on developing fair protocols where both the Chooser and the Sender get to 
know the result of comparison. None of these protocols is however really efficient 
even when simplified so as not to have the fairness property. For example, the 
PET protocol from [BST01] requires multiple rounds and zero-knowledge proofs 
of knowledge. One application, considered at the end of our paper actually relies 
on the asymmetric nature of our PET protocols. 

3 Affine Public-Key Cryptosystems 

Next we describe a new property of homomorphic semantically secure public- 
key cryptosystems that will be necessary in the later described protocols. First, 
recall that a finite cyclic Abelian group is isomorphic to some residue class 
group Z N . Now, let V and V f 0 be two distributions of elements of Z. We say 
that V affinely e -approximates V on additive group G if for every g, g' £ G, 
g / 0, A (V ■ g + g'\\D) < e. We call G e-affine if such distributions V and 
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V exist. We say that G is computationally e-affine if it is e-affine under the 
condition that g and g' must be generated by a PPT algorithm. We say that G 
is (computationally) non-affine if it is not (computationally) 1 /2-afhne. 

Assume that the order of G is public. First, if G is a cyclic group of prime 
order, one can define V := \G\ and V := G. Then G is 0-affine. If G is a 
cyclic group of composite order, G = T. m, then for any generator g of G, all 
elements ag for gcd(a, \G\) = 1 are generators, while for a with gcd(o, \ G\) ^ 1, 
|(ag)| < |G|/2- Therefore, G is non-affine. On the other hand, if one assumes 
that it is hard to factor |G| then G will be computationally 0-affine. If G is an 
acyclic group, then every element g € G generates a nontrivial subgroup (g) of 
G of order < G/2. In this case, any choice of T>’ f 0 leads to non-affinity even 
in the computational sense. 

Let e = (cfe) be a family of probabilities. We say that 17 = (Q n , E, D: S , T) 
is an e-affine public-key cryptosystem, if II' = ( Qn,E,D ) is a homomorphic se- 
mantically secure public-key cryptosystem, S and T are PPT algorithms, with 
S(l k ,K) C Z, T(l k ,K) C Mn(x) with \T(l k ,K)\ > 1, and for every security 
parameter k, key pair (x,K) e Gn(l k ), Ad v^ fl " e := max ae _ MjI ( x )\{ 0 },feex JI (x) 
A (<S(l fc , K)a + 6||T(l fc , 77)) < e k . Therefore, II is perfectly affine if for every 
x, Mn(x) is a cyclic group with known prime order. We say that II is compu- 
tationally affine if for every x, A in(x) is a cyclic group with known composite 
order under the assumption that it is hard even for the decrypter to factor M. 
(If M is not known, perfect affinity may change to statistical affinity.) 


4 Homomorphic Oblivious Transfer Protocols 

Simplified notation. To simplify the notation, from now on we will omit the 
arguments (l fe , K) of S and T, the argument x of M rr and TZ n , and the argument 
x of Mr and IZr- 


4.1 Simpler Protocol without Sender- Verifiability 

Protocol 1 depicts the new homomorphic oblivious transfer protocol. A very 
similar protocol was proposed in [AIR01]; we will provide comparisons later in 
this section. 

Theorem 1. Let k be the security parameter. Let II = (G n ,E,D;S, 
T) be a (statistically or computationally) e-affine homomorphic semantically se- 
cure public-key cryptosystem for some e = ( e k )k • Let the database size n be poly- 
nomial in k. The HOT protocol depicted by Protocol 1 is a secure oblivious trans- 
fer protocol between the chooser Cho and the sender Sen in the next sense. When 
n is semantically secure, then the HOT is computationally chooser-private. Let 
M = |A4i7|- Sender’s privacy is (a) perfect when e k = 0, (b) computational, 
with the best adversary having success ne k when e k is negligible in k and 17 is 
computationally e-affine. 
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Protocol 1 The homomorphic oblivious transfer protocol. 

Private input: Cho has an index a el, Sen has p = (pi, . . . , p n ). 

Private output: Cho has p . a . 

1. The chooser generates a new key pair ( x,K ) «— Qn(l k ), a random coin r <— 7 Zn, 
and sets c <— EK(X<,',r). He sends (K, c) to the sender. 

2. For i € [l,n], the sender chooses random s, <— S and r* <— Tin, computes c, <— 
Ek(h%', 0) • (c • Ek (— 0)) s * • Ek( 0; ri), and sends Ci to the chooser. 

3. The chooser outputs p a i— D K (c a ). 


Proof. Correctness: If both players are honest then c, = E K (pi + Si(a — 
i));r Si o r') and D K (c a ) = Ha, and thus this protocol is correct. 

Chooser-privacy: If the sender can distinguish the views {E K (o \E n )} 
and {Ek{ct'-, En)} then 77 is not semantically secure. (More precisely, if one can 
violate the chooser-privacy in time t with probability S, then one can violate the 
semantical security of 77 in time t + const and with probability 5.) 

Statistical sender-privacy: We construct the next unbounded simulator 
S of A: S executes A instruction-by-instruction, except that when A sends a 
message c to the sender Sen, S interrupts and answers to c with (ci, . . . ,c„), 
where c, is computed as follows: if i := D K (c) € X then c, <— c Si ■ E K (m ~ 
SiD K {c)-, Err) for random s, <- S, otherwise c, : <— E K (T: Err)- 

Now, if cr := D k (c) 0 X (the opposite case D K {c) e X is analogous), the 
output distribution of the simulator (for fixed random tape p of S, and for 
fixed c) is (p;c; , Ek{T ; 7 Zn), ■ ■ ■', Ha), while the output distribution of A is 
(p; c; . . . , c Si ■ Ek(Hi ~ sila', En), ■ ■ ■', Ha) for random s* S. For a fixed c, the 
difference between these two distributions is 

Advsln 6 ,^" 4 ’ s )< n ' max A (E K (Sa + HP, E n )\\E K (T;E n ))) < 
n - max A ( E K (Sa + b ; E n )\\E K (T;E n )) = n- max A (Sa + b\\T) = n- Adv^ fl " e . 

a^O ,6 a^0,6 

Both claims follow straightforwardly. □ 

Weak Server-Privacy. Only a few homomorphic semantically secure public- 
key cryptosystems are affine, as seen from Table 1. Fortunately, it comes out 
that the HOT protocol is sender-private under much broader settings when we 
slightly weaken the security definitions. 

We say that the oblivious transfer protocol provides weak sender-privacy if 
the chooser will retrieve more than an ideal amount of information about at 
most one value Hi, where i = o when the Chooser has private input a € X. 
Weak sender-privacy is sufficient in almost all cases when the oblivious trans- 
fer protocol is not required to be chooser-verifiable. (Chooser-verifiability can 
be defined as the requirement that the chooser must be able to prove that the 
database element she received was indexed by her choice.) An example applica- 
tion where weak sender-privacy is sufficient is the paid database queries setting, 
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where the database maintainer is only interested in the number of the items that 
the client will obtain, and not that the indices of the obtained items satisfy any 
requirements. 

Often (as in the case of the oblivious transfer protocol, proposed in Sect. 4), 
a weakly sender-private oblivious transfer protocol can be transfered to a sta- 
tistically sender-private one by accompanying it with a suitable zero-knowledge 
proof (or argument) that a £ Z. Importantly, as we will see from the next the- 
orem, there exist settings where the new oblivious transfer protocol is weakly 
sender-private but not statistically sender-private. 

Theorem 2. Assume the same setting as in Theorem 1. Additionally, assume 
that M. n is a cyclic group with a generator g, Zj = ig and that <P(M) > n. 
Then the HOT protocol is weakly sender-private. Moreover, a statistically weakly 
sender-private HOT protocol can he made statistically sender-private if before the 
second step of Protocol 1, the chooser argues in statistical zero-knowledge that c 
is an encryption of o for some a £ I. 

Proof (Sketch). As in Theorem 1, the advantage Advf^f^-A, S) is bound by 
nmax a ^o,b A (Sag + b\\T). Define S := and T := Mn- When a = (±<r)g 
for gcd(cr, M) = 1 then Sa+b = T for any b. If a = ag for gcd(cr, M) / 1 then the 
chooser will see n — 1 random encryptions that are distributed as E K {T ; Hu), 
and one encryption of a value E K (fj,i +S(a — i)g-, H'n), this is since <P(M) > n. 
From the latter she might be able to derive some information about /.q but this 
is allowed by the security definition. 

The second claim of the theorem (about the zero- knowledge argument) is 
straightforward. Moreover, if Z* is encoded as g % for some group element g £ A in 
then one can show efficiently that j € Z by using protocols from [DJ01,LAN02]; 
for Zj = i the corresponding proofs can be found from [Bou00,Lip03]. (See [Lip03] 
for some other possible encodings.) □ 

Comparison with [AIR01]. The HOT protocol is a generalisation of the 
protocol of Aiello, Ishai and Reingold [AIR01, Section 5] to a wider selection 
of plaintext spaces. (Namely, [AIR01] considered only the case when M is a 
prime.) Careful specification of parameters and the definition of affine cryp- 
tosystems allowed us to prove that the protocol is “almost” as secure in cases, 
not considered in [AIR01]. In particular, as argued earlier, weak sender-privacy 
is sufficient always when one does not require chooser-verifiability. In most of 
the real-life scenarios, one does not require chooser-verifiability; in almost all 
such cases, one can use weakly sender-private variants of the HOT protocol that 
were not considered in [AIR01]. However, when chooser- verifiability is needed, 
one will also usually need sender-verifiability, a property not provided by HOT 
protocol and thus also not by the AIR protocol from [AIR01]. (See Section 4.2 
for a new sender-verifiable oblivious transfer protocol.) 

Discussion. Importantly, one has quite a flexible choice between possible un- 
derlying homomorphic semantically secure public-key cryptosystem 17 when 
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Table 1. Some homomorphic semantically secure public- key cryptosystems 77 that 
make the HOT protocol at least weakly sender-private. The middle column shows 
whether the corresponding PET protocol from Section 5 is secure. 


1 n 1 

1 Sender-privacy 

Weak sender-privacy 

1 Sender-private HOT 1 

1 [El 84] 

|Yes (perfect) 

Yes (perfect) 1 

[DJ03] 

Yes (computational) Yes (perfect) 

Weakly sender-private HOT 

[Pai99] 

No 

Yes (perfect) 

DJ01 [DJ01] 

No 

Yes (perfect) 

[NS98] 

No 

If $(M) is large (perfect) 

[OU98] 

No 

If <P(p — 1) is large (statistical) 


one only goes for the weak sender-security. Table 1 shows that the HOT is 
weakly sender-private based on most of the widely known homomorphic seman- 
tically secure public-key cryptosystems, and statistically sender-private when 
based on two known homomorphic semantically secure public-key cryptosys- 
tems. From the mentioned homomorphic semantically secure public-key cryp- 
tosystems, [NS98] offers a flexible choice of the value <?(M) in the range [3, 2 11 ], 
and for other public-key cryptosystems, <?(M) is anyways required to be large 
for the public-key cryptosystem to be semantically secure. (However, it is not 
known whether the Naccache-Stern cryptosystem is semantically secure if M is 
known to Sen.) The Okamoto-Uchiyama public-key cryptosystem [OU98] is a 
notable exception since there M is not public, and <P(M) is not required to be 
large. Still, even in this case one gets statistical weak sender-privacy by choosing 
S = Z 2 fc+< 72 , where £ is the key length. 

If combined with the Damgard-Jurik cryptosystem from [DJ03], it becomes 
possible to use extremely large message spaces. If combined with the ElGamal 
cryptosystem, one can easily distribute the role of the sender. From the strictly 
efficiency point of view, the best underlying homomorphic semantically secure 
public-key cryptosystem would be the ElGamal based on (say) elliptic curves 
and Zj is defined as g l for some generator g. Then c <— {g cr K r ,g r ) and eg <— 
(^giv-^ih^+n-grsi+n). 


4.2 Verifiable HOT Protocol 

Protocol 1 by itself is not (sender-)verifiable but it can be made verifiable by 
borrowing some ideas from the recent AJL verifiable oblivious transfer protocol 
by Ambainis, Jakobsson and Lipmaa [AJL03]. More precise, we use the HOT 
protocol so that the chooser obtains a random nonce m a that is used also when 
the sender commits to g, a . The chooser will thus only be able to recover the 
value of Hrj. On the other hand, for every i, the sender commits to p, , using a 
random value tr(rrij) that is known to her. This means that she can use standard 
zero-knowledge techniques to prove properties of /q even for i ^ a. 
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Protocol 2 The verifiable HOT protocol. 

Private inputs: Cho has a, Sen has g. 

Private outputs: Cho obtains p a - 

1. Cho creates a key pair ( x,K ) <r- Gr{l k ) and a key pair (x,K) <r- Gn{l k ). Cho 
creates a random r i— 1Z and computes c <— E K (T„\ r). He sends (K. K, c) to Sen. 

2. For all i, Sen creates random n <— 1Z and 4— T x S, computes Vi <— 

(c- Ek{— 0)) Si • EK{rrii\ri) and c, I— tr(m,)). She sends ( Vi,ct ) to Cho. 

3. Cho outputs p a retrieve(c CT • Cj i (0\tr{D K {v a ))~ 1 )). 


Theorem 3. Let k be the security parameter. Assume that II = {Gn. E, D: S. 
T) is an e-affine homomorphic semantically secure public-key cryptosystem and 
that r is a homomorphic perfectly hiding commitment scheme. For fixed 
(x,K) <— Gn(I k ) and ( x,K ) <— Gr( l fc ), assume the existence of two deter- 
ministic PPT functions tr : Ain — I F-r and retrieve : 1) i — > m. Then 

Protocol 2 is (a) perfectly sender-private if T is perfectly hiding, tr is an injec- 
tion, \AA.n\ = |7£r| is a prime andT andS are defined as usually; (b) statistically 
sender-private if T is statistically hiding, (l-Ad^l — |7£r|)/|7£r| is negligible and 
tr is a suitable mapping. 

Proof. Correctness: If parties are honest then v t = E K (s i (T cr —T i ) + m i -, s t r + 
i "i), Ci = and thus Dk(v „) = m CT , p a = retrieve(c CT • (7^.(0; X.r(m a )- 

tr (Too-) - 1 ) = retrieve 1)) = p a . 

Chooser-privacy: straightforward, given that 77 is semantically secure. 

Sender-privacy: Assume D K (c) = T„ for a e [l,n] (the opposite case 
is analogous). Denote the distribution C^(AA r ',IL r ) by Z and the distribu- 
tion ((E K (m + S(l a — T i )\'Rn),Cp c {pi-,Xr{fh))), where m «— T, by V). We 
construct the next unbounded simulator S for A: S executes A step-by-step, 
except that when A makes a query c to the sender Sen, S interrupts and an- 
swers it with (m,ci, . . . ,v n ,c n ), where (uj,Cj) is computed as follows: (vj,Cj) «— 
(E k (T; P-n), Z) when and (v t , c*) <— Y a when i = a. 

Then the advantage of A is 

Adv£ n en (fc)(A, S) < Y / A MICE* (T; H n ),Z)) 

< Y, ™A ((<Sa + b, tr(T)))||(T, Z)) 

< Y max A (Sa + b \\T) + Y A Wtoi M T))\\Z ) 

<n • (Advf" e + A (tr(T)\\H r ) + Adv^A)) . 

The claim follows. □ 

Straightforwardly, for the weak sender-privacy it suffices to replace the require- 
ment that Adv^ fl " e is negligible in k by the requirement that P(AAn) > n. 
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Table 2. Comparison of some verifiable oblivious transfer protocols, with specified 
homomorphic semantically secure public-key cryptosystem 77 and homomorphic com- 
mitment scheme 77 Here we have always T = S = m\Ti r \ and thus tr(m) = m. 


77 

r 

Sender’s priv. 

retrieve(c) 

Verifiable 

Online work 1 

(exp/enc/comm) | 

Naor-Pin 

kas [NP01] “1 

1 ElGamal (Pedersen) 1 Perfect 

Easy (decryption) 1 No 

4n/n/— j 

|AIR [AIR01] and HOT (this paper) | 

1 ElGamal 1 

Perfect 

Easy (decryption) 1 No 

1 -N- | 

lAmbainis-Jakobsson-Lipmaa [AJL03] 

| ElGamal Pedersen | Statistical 

Hard (DL) 

Yes 

4 n/n/n 

1 Verifiable HOT (this paper) 

1 ElGamal Pedersen 1 

Perfect 

Hard (DL) 

Yes 


ElGamal CGHN 

Statistical 

(c — 1)/7V mod TV 2 

Yes 

y/n/n 


Comparison with Previous Work. Recall that the up to now most efficient 
(and the only two-round) verifiable oblivious transfer protocol by Ambainis- 
Jakobsson-Lipmaa protocol [AJL03] was statistically private, and at the end of 
the AJL protocol, the chooser had to compute discrete logarithm to recover the 
value of /I a . The verifiable HOT protocol from Protocol 2 solves either — but not 
both — of these problems, when based on suitable 77 and 77 See Table 2 for a 
comparison of the verifiable HOT protocol (with the ElGamal cryptosystem but 
different r ) with some previous work. 

When r is the Pedersen commitment scheme with x = x and K = K, and 
X i = g' for some generator g, the resulting scheme will be somewhat similar 
to [AJL03] with = (g Si( ~ a ~ z ' ) m i h SirJhr * , g Sir+ri ). Then lZ r = Mn = tr 
is the identity function, S = T = Z q , and the resulting protocol will be both 
computationally chooser-private and perfectly sender-private under the DDH 
assumption. (Recall that the AJL protocol from [AJL03] was only statistically 
sender-private.) Similarly to [AJL03], the drawback of this protocol is that the 
chooser obtains 0) = g ,Ja , from which he has to recover ji„ by computing 

a discrete logarithm. 

The use of the CGHN [CGHN01] trapdoor commitment scheme as r enables 
one to get rid of the latter drawback with the cost of making the protocol only 
statistically sender-private. Recall that in the CGHN commitment scheme the 
chooser recovers c a = Cf c (g (J : 1) = (1 + n a N) mod TV 2 , from which he can effi- 
ciently compute /I a = (c a — 1 ) /N mod TV 2 . However, in this case |7£r| ~ \M.n\ 2 , 
assuming that the public keys of 77 and r have the same length. There are at 
least three different methods for overcoming this obstacle: (a) Choosing twice 
longer keys for the public-key cryptosystem, so that \M.n\ > |77r| « TV 2 ; this 
might however be impractical; (b) Setting tr to be a pseudorandom number gen- 
erator; this results in a mere computational privacy; (c) Letting Sen to generate 
two different random numbers m* and m' , and to use the HOT protocol twice 
so that the Chooser obtains both m,; and m ! i , and then use both to commit 
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Protocol 3 New PET protocol, where 77 = (Q n ,E,D\S,T) is an affine homo- 
morphic semantically secure public-key cryptosystem. 

Private inputs: Chooser has Wc ho, Sender has Ws e n- 

Private outputs: Chooser has 0 if Wcho = Ws e n or garbage, otherwise. 

1. Chooser generates a new key pair (x,K) •*— Qn{ l fc ), a random r TZn, and sets 
c 4 - EK(Wcho9', r)- He sends ( K , c) to Sender. 

2. Sender generates random s <— S and r' <— Tin - She sends c' (c-Ek (— WsenS; 0)) s - 
Ek( 0;r') to the Chooser. 

3. Chooser accepts that W-'cho = W'Sen iff D K {c') = 0. 


to Hi. In all three cases, Ad\/f^ n (k)(A, S) < 2nA (r(T)|]7?.r) is negligible. We 
suggest, even if this results in a slightly less efficient protocol, to use the third 
recommendation. 

5 Private Equality Test and Enhancements 

The Homomorphic Private Equality Test Protocol. Assume that a possi- 
ble wealths W is encoded as Wg for a generator g of the cyclic group Mn- (Other 
encodings might also work) The new homomorphic private equality test (HPET) 
protocol (Protocol 3) is in a sense just a — although not a straightforward — 
simplification of the HOT protocol. Namely, it corresponds to the conditional 
disclosure of a single element = 0, where instead of * = IT’sen , the sender 
uses i = Wcho- Thus, = 0 will be revealed only when IT’sen = H'cho : other- 
wise the chooser will obtain a random element of Mn- Therefore, unsurprisingly, 
the PET protocol is sender-private exactly when based on a II that also makes 
the HOT protocol sender-private. 

Theorem 4. Let k be the security parameter. Assume that II = (Qn ■ E. D: S. 
T) is an s-affine homomorphic semantically secure public-key cryptosystem, such 
that it is computationally hard for the decrypter to factor M «— \M.n\ for any 
x^Qn{l k ). 

Let Wsen G Mn and Wcho € Mn be Sender’s and Chooser’s inputs. Let 
Mn be a cyclic group with generator g. Then Protocol 3, denoted as HPET, is 
chooser-private. Moreover, (a) if Mn is a cyclic group of public prime order, 
then the HPET protocol is perfectly correct and sender-private, and (b) if Mn 
is a cyclic group of public composite order, where it is hard for the chooser and 
the sender to factor |A4t7|, then this protocol is computationally correct and 
sender-private. 

Proof. Correctness: When both parties are honest then d = E K (s(Wcho ~ 
W Sen )g; r s o r'). Thus, m = 0 iff (a) W Se n = W Ch o or (b) M \ s(W Cho - W Sen )g. 
The latter can only happen when gcd(.s(W'ch 0 — Ws en ),M) ^ 1, that is, when 
M is composite, and either the chooser or the sender can find factors of M. 
(As previously, we will not care about correctness in the case when Sender is 
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dishonest, leaving it up to an higher level protocol to deal with that.) Chooser- 
privacy: follows straightforwardly from the semantical security. 

Statistical sender-privacy (Sketch): In this case, the simulator S knows 
an answer to the question Ws en = W'cho and nothing more about the Sender’s 
wealth. He answers the query c with c', distributed as E K (T. lZn), if D K {c) / 
Wsen, and as E K (0: IZn) if D K (c) = Ws en - Clearly, the difference between S”s 
output and the real view is < A (E K (S(Wcho ~ Wsen)#; 1Z n )\\E K (T; 'R-n)) < 
Adv^ 1 " 6 . □ 

The HPET protocol is severely more efficient than the BST (Boudot-Schoen- 
makers-Traore) protocol [BST01] or the protocol from [NP99]. However, the later 
can be modified (with significant cost in efficiency) so as to provide fairness, i.e., 
to guarantee that the Sender will only get to know whether Ws en = W'cho if 
also the Chooser will get to know that. It is unclear yet if our protocol can be 
modified to become fair, but this is also not our intention. 

Unfortunately, the number of currently known homomorphic cryptosystems 
where the decryption can be performed without knowing the factorisation of 
| Ad 77 1 is small: the only known examples are [El 84,DJ03]. (See the second col- 
umn of Tbl. 1.) 


Verifiable PET. (Sketch.) Here, we use the same notation as in previous 
theorems. In a verifiable PET protocol, the Chooser sends c E k (Wq h 0 ; r) to 
the Sender, who replies with (v, o'), where v E K (s(Wch 0 ~ Ws en )g + nr, r s or') 
and d <- C^{Ws en ■ <j;tr(m)), for m <- T. Here, tr : Mn ->• Er and g is an 
element of M r of order at least Mn- Clearly, this protocol is correct and secure 
under reasonable assumptions. The security proof is similar to that, presented 
in Theorem 3. 


Proxy Verifiable HPET. In the -proxy private equality test there is one 
Alice, n different “Bobs” B\, ... . B n , and a new party called Peggy the Proxy. 
At the end of the proxy PET protocol, Peggy will get to know whether Alice 
is as wealthy as Bj, Bob the *th, for all i € [1, n], while neither Alice nor any 
of Bi, , B n will obtain any new information information. Next, we propose a 
proxy verifiable homomorphic private equality test protocol (see Protocol 4) that 
bases on a e-afhne homomorphic semantically secure public-key cryptosystem 
II = ( Q n ,E,D-,S,T) that satisfies the same requirements as II in Thm. 4. (We 
omit the security proofs.) 

This protocol is basically a modification of the HPET protocol with a proxy 
Peggy who transmits Alice’s and Bi s messages to their partners. As a drawback, 
Protocol 4 reveals Wa to Peggy on step 5, but importantly, this only happens 
after Peggy has committed to Bj- s’ answers: if Peggy would get to know x before 
forwarding ( K , K, c) on step 2, she might be able, in collaboration with some B,, 
to stop the protocol before sending the commitment x to Alice if the outcome is 
not suitable for Peggy. This attack is relevant in, e.g., the auction scenario (see 
Sect. 6), and is one of the reasons why x is sent to Peggy only at the end of the 
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Protocol 4 The proxy verifiable HPET protocol. 

Private inputs: Alice has Wa, Bi has W Bi . Private outputs: For all i, Peggy has 
0 if Wa = Wbi or garbage, otherwise. 

1. Alice generates new private key pairs (x,K) Qn{T k ) and (x, K) £- Qr( l fc ), a 
random r <— TZn, and sets c <— Ek(Wa', r). She sends (K, K, c) to Peggy. 

2. Peggy forwards ( K , K, c) to players B\, . . . , £g. 

3. For every i, Bi creates a random ro; <— T, computes Vi = -Er (m, + Si(Wa — 
W B );r Si o r'i) for random Si <- S and r[ t— TZn, and sets c, «- C^(W Bi ;tr(mi)). 
He sends (u<, a) together with his signature over ( K , K, c, c, v) to Peggy. 

4. Peggy collects all values {vi 7 Ci}, and signs (at an a priori fixed time) their joint 
commitment. He sends the signed commitment x to Alice. 

5. Alice sends Wa,x and her signature on {Wa,X, x ) to Peggy. 

6. For every i, Peggy decrypts Vi by using the key x, and obtains a message ro; 6 Mn- 
She decides that W A = W Bi iff c* = C k (W A ;tr(rhi)). 


protocol. As we will also see in Sect. 6, in some applications revealing Wa at the 
end of the protocol is actually desirable. 


Second, More Secure, Proxy Verifiable HPET Protocol. (Sketch.) In an 
alternative protocol to Protocol 4, instead of sending x to Peggy, Alice receives 
(v,c) from Peggy, obtains all messages m», and then proves in zero- knowledge 
whether Vi commits to Wa for all i £ [l.n]. This protocol is obviously more 
secure than the first protocol (since x and thus also H-'A will not be revealed to 
Peggy), but requires at least one additional round and more communication. 

6 Applications 

Applications of the Verifiable Oblivious Transfer Protocol. In [AJL03], 
Ambainis, Jakobsson and Lipmaa proposed several protocols for the crypto- 
graphic randomised response technique. Their first protocol — that bases on their 
own verifiable oblivious transfer protocol — can be made more efficient (and also 
perfectly private for the respondent) by using the verifiable HOT protocol in- 
stead. Note that at least in their application a weakly sender-private oblivious 
transfer protocol with a trapdoor commitment scheme will be sufficient. See, 
e.g., [CvdGT95,CD97,CC00] for more applications for the verifiable HOT pro- 
tocol. 


Auctions. The LAN auction scheme [LAN02] is (probably) the most efficient 
secure cryptographic ( b+ l)st auction scheme without threshold trust; in large- 
scale auctions with many participants it requires 10-100 times less communi- 
cation than the Naor-Pinkas-Sumner scheme [NPS99]. On the other hand, the 
LAN scheme has two principal drawbacks. First, the involved trusted auction 
authority A will get to know the bid statistics. As argued in [LAN02], this is 
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not a weakness from the economic viewpoint when relying on the assumption 
that the occasional seller and the well-established business authority A do not 
collaborate. 

Second, the LAN scheme has only an optimistic payment enforcement pro- 
cedure. Namely, after the seller has received the value of the 6th highest bid Xb 
from A, reliable winner determination is only possible when all the bidders (or at 
least 6 highest bidders) will complete a zero-knowledge proof that shows whether 
they bid more than Xb or not. Clearly, it may be difficult to force the bidders 
to collaborate at this time — especially after they know the value of Xb — , and 
it may be hard to distinguish between the malicious bidders (who want to dis- 
rupt the auctions, lose their interest in participation since they are not winning, 
or are not willing to pay as much), shills and bidders that have some genuine 
problems with their software or hardware. Moreover, some bidders might object 
to such enforcement even if they have no desire to cheat, by whatever moral or 
psychological reasons. 

By using the proxy verifiable HPET protocol (Protocol 4), one can eliminate 
the second problem of the LAN scheme for 6 < 1 with a moderate increase in the 
communication complexity. The basic idea of our solution is that after the third 
party A has computed the 6th highest bid Xb, he will not send Xb to the seller 
P, as it was done in the original protocol of [LAN02]. Instead, the seller will act 
as a proxy in (6 — 1) parallel proxy verifiable HPET protocols with the inputs 
Xi, . . . , Xb- 1 from A and the input 6,; (B^s bid) from the bidder B, . After the 
3rd step of the proxy verifiable PET protocol, neither the seller nor any of the 
bidders knows Xj for any j. Thus, none of the bidders (including the shills who 
cooperate with the auctioneer) has the motivation to discontinue participation 
in the auction. In particular, the seller has no better strategy than to be honest 
in step 4 of Protocol 4. Moreover, he will receive X%, ■ ■ ■ , Xb- 1 only on step 5 of 
the proxy verifiable HPET protocol, after his commitment and thus his actions 
are accountable. The drawback of this solution is that the seller will get to know 
*!,..., Xb-!. 

Alternatively, the participants can use the alternative proxy verifiable HPET 
protocol that was sketched before; in this case, no Xj will be leaked to the seller, 
but the communication complexity of the whole scheme increases somewhat, 
since the authority must provide 6 — 1 zero-knowledge arguments of plaintext 
equality. One can most probably apply the proxy verifiable HPET protocol also 
to other protocols in an analogous manner. 
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Abstract. This paper investigates some modular powering functions 
suitable for cryptography. It is well known that the Rabin encryption 
function is a 4-to-l mapping and breaking its one-wayness is secure under 
the factoring assumption. The previously reported encryption schemes 
using a powering function are variants of either the 4-to-l mapping or 
higher n-to-1 mapping, where n > 4. In this paper, we propose an op- 
timized powering function that is a 3-to-l mapping using a p 2 f/-type 
modulus. The one-wayness of the proposed powering function is as hard 
as the infeasibility of the factoring problem. We present an efficient al- 
gorithm for computing the decryption for a p 2 q - type modulus, which 
requires neither modular inversion nor division. Moreover, we construct 
new provably secure digital signatures as an application of the opti- 
mized functions. In order to achieve provable security in the random 
oracle model, we usually randomize a message using random hashing or 
padding. However, we have to compute the randomization again if the 
randomized message is a non-cubic residue element — it is inefficient for 
long messages. We propose an algorithm that can deterministically find 
the unique cubic residue element for a randomly chosen element. 

Keywords: factoring, RSA, modular powering function, digital signa- 


1 Introduction 

Modular powering functions with composite moduli play an important role in 
cryptography. The RSA cryptosystem [15] and its variations [2,3] use one-to-one 
modular powering functions (permutations) as primitives. The Rabin cryptosys- 
tem [14] and its variants such as Williams’ scheme [19] and Kurosawa et al.’s 
schemes [8,9] are composed of modular squaring functions (4-to-l mapping). The 
other encryption schemes using powering functions [16], [10], [20], [21] utilize n-to- 
1 mappings (n > 4). Although the types of moduli for these functions are various, 
the following types are mainly used: pq, pqr and p 2 q (e.g. [5], [7], [13], [18]), where 

C.S. Laih (Ed.): ASIACRYPT 2003, LNCS 2894, pp. 434-451, 2003. 
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p, q, r axe distinct prime numbers. The pgr-type modulus can efficiently com- 
pute its decryption using the Chinese remainder theorem [13], and the p 2 g-type 
modulus can achieve faster decryption through the addition of Hensel lifting 

[7], [18]- 

These various kinds of functions have advantages and disadvantages. In cryp- 
tographic use, we expect that these functions will be proven to be one-way under 
some reliable assumptions such as the infeasibility of factoring large composite 
numbers. In view of this, strictly speaking, computational equivalence between 
one-wayness and the infeasibility of factoring is not proven for RSA functions. 
On the other hand, it is proven that Rabin functions are one-way under the 
factoring assumptions. However, for pq and p 2 g-type moduli, these functions are 
4-to-l, where four is the cardinality of the kernel (for pgr- type, the functions 
are 8-to-l), and this causes some inconvenience in cryptography such as non- 
uniqueness in decryption. In avoiding this, additional treatment is required for 
decryption or efficiency is decreased, and thus a smaller kernel would better suit 
for our purposes. Moreover, for a p 2 g-type modulus, the conventional methods 
([7], [18]) require modular inverses and integer divisions to be calculated. Even 
though these operations are fast in software, they are relatively expensive in 
hardware, especially for smartcards that are not equipped with coprocessors to 
calculate these inverses and divisions. 

In this paper, we investigate optimized modular powering functions whose 
one-wayness can be proven secure under factoring assumptions. We deal with 
the general powering function f(x) = x e mod n for modulus n = p d q. We show 
some criteria related to parameters g,d,p,q, which determine the number of 
pre-images of f(x). We conclude that the optimal encryption of our proposed 
scheme is a 3-to-l mapping with the p 2 g-type modulus. Moreover, we propose an 
efficient algorithm to calculate the preimages of ap 2 g-type modulus, which needs 
neither modular inversion nor division of integers. Moreover, as an application 
of these optimized functions, we construct new provably secure digital signa- 
tures using these functions in the random oracle model. In order to achieve the 
security in the random oracle model, we randomize a message using a random 
hashing or padding. If the randomized message is a non-cubic element, we have 
to randomize it again before the primitive computation — it is inefficient for long 
messages. In this paper, we propose an algorithm, with which the three possi- 
ble kernel elements can easily be distinguished by a non-cubic residue element. 
This trick was initially proposed by Kurosawa et al. for the Rabin signature 
scheme [9]. Finally, we estimate the efficiency of the proposed signature scheme 
in contrast with other conventional signature schemes. The decryption of the 
proposed scheme with a p 2 g-type modulus is about 1.7 time faster than that of 
the Multi-Prime RSA with a pgr-type modulus of the same size. 

This paper is organized as follows: In Section 2, we discuss the proposed 
primitives and propose an optimal powering function. Section 3 discuss our con- 
struction of digital signature schemes based on the optimal powering function. 
Section 4 concludes the paper with a few closing remarks. 
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2 Proposed Primitives 

In this section, we first study generalized powering functions with respect to 
security, efficiency and convenience for cryptography, and we then propose a 
new type of function that has not been applied to cryptography, that is, the 
conditions for prime factors of the modulus are asymmetric. In the following, 
because of efficiency, we concentrate on moduli of the powering functions that 
have two distinct prime factors (c/. Section 3.4). 


2.1 Generalized Powering Functions 

Let us recall the general properties of powering functions over some finite rings. 

We deal with a modulus N = p d q, where p and q are distinct odd prime 
numbers and d> la positive integer 1 . Let us denote the g- th power map on the 
multiplicative group Z* N by 

/ = f Nt g : Z* N Z* N , f(x) = x 9 mod N. (1) 

Note that / is a g p g q -to-one map, and the image of / is equal to (Z* v ) 9 = 
(Zpd'j P x (Z*) 9 ", where g p = gcd (g,p- 1) and g q = gcd(g, q- 1) for an integer 
1 < g < min(p— l,q— 1). Let y be an element in the image of /, then the 
preimage of y by / is the set given by / _1 (y) = {x' € Z* N \ x' 9 = y}, which 
consists of g p g q elements. We choose g = 2 for the Rabin cryptosystem, so that 
there are four ambiguities for the preimage of map / due to g p = g q = 2. 

We denote the isomorphism by the Chinese remainder theorem by <j>: 

<t> = <t>p d ,q '■ ^p d X 

As is well known, the multiplicative group Z* is a cyclic group of order p - 1. 
For an integer t > 1, let Z Ptt be the subgroup of elements in Z* whose order 
divides t: Z p , t = {a GZ*\ a* = 1}. 

We consider the r/-th power map j] hg on Z*. It can easily be seen that the 
following sequence is exact 2 : 1 — > Z pg >— >- Z* -^4- (Z*) 9 — > 1. Moreover, we 
have ( Z *) 9 = ((Z*) 9p ) s ^ 9p , and the order of (Z*) 9p is (p— 1 )/g p , in particular, 
it is prime to g/g p , thus it holds that ( (Z * ) ffp ) 9 ^ 9p = (Z*) 9p . Hence, we have 
#Z p>g = (p — 1)/# (Z*) 9p = g p , and from the uniqueness of the subgroup of 
order g p in Z*, letting ( p , g be a primitive g p - th root of unity, we have Z p g = 
Z Pt g p = {C Pt g), that is, the subgroup of g-th roots of unity is equal to that of 
g p - th roots of unity. Let x P ,g = f p , p ~ 1 be the (p — 1) / ^p-th power map on Z*: 

Xp,g -ZZ p ^Z* p , Xp,g ( x ) =x^ mod p, 

1 Boneh et al. proposed a polynomial time algorithm for factoring p d q for large d [4] . 
The exponent d in this paper is very small, so that their algorithm is not effective. 

2 A -4 B A- C is said to be exact if the image of / is equal to the kernel of g. 
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then, due to the above arguments, the following sequence is exact: 1 -» (Z*) s = 
(Z*) 9p c — >• Z* ^4 (C P ,g) — t 1. In other words, we have the following. 

Lemma 1. For any x £ Z*, we have Xp,g( x ) € ( Cp, g )> an d x is a g-th power 
residue (i.e. x £ ( Z *) 9 ) if and only if Xp,g( x ) = 1- 

For (Z p d)*, there exists a decomposition (Z p d)* = ( Z p )* x Z p d-i. Since 
gcd(< 7 ,p) = 1, regarding Z* as a subgroup of Z* d , we have Z p d g = Z Pt9 , and 
a £ Z* d is a (/-th power residue if and only if a mod p satisfies the condition in 
Lemma 1. For the prime q, the situation is similar, let Z q g = ((, hg ), then by 
the Chinese remainder theorem, the set Zjq <q of all g(-th roots of unity in Z* N 
can be written as Z N>g = 4>{ z p, g , Z q>g ) = {<j>(Cp, g , Q, g ) | 0 < i < g p , 0 <j< g q ). 
Since Q )>g and ( qqi are easily calculated (e.g. £ PiS = x ( - p ~ 1 ^ Sp for some x), and by 
Lemma 2, Zjy tg is easily obtained. Especially, we have -jfZig.g = g p ■ g q . Putting 
g pq = \cm(g p ,g q ), it can easily be seen that Z Ng = Z Nt9pq . 

Consequently, for y £ (Z* N ) 9 , let x £ / _1 (y) be a preimage of y : x 9 = y, 
then the preimage f~ 1 (y) of y by / can easily be calculated by the following: 

f-\y) = {x ■ CL) I 0 < * < gp, 0 < j < g q } , (2) 


2.2 Security of Generalized Powering Functions 

We will now consider computational equivalence between the factoring problem 
on N and the one-wayness of function /, when / is not injective. 

For each divisor e of g, define the set of primes which satisfy the conditions in 
Lemma 1 as follows: V e = {p : prime | gcd (g,p — 1) = e, gcd(g, (p — l)/e) = 1}. 

Let Div(<ji) be the set of all divisors of g. For a non-empty set D c Div(g), 
we put V-d = (J eeT) V e . We fix integers d > 1, g > 2, and non-empty sets 
T>i,T >2 C Div(g), U T >2 4 {1} (namely, one of these contains divisors of g 
besides 1). For these, let a instance generator Qo be a probabilistic polynomial 
time algorithm such that -f N, where N — p d q , \N\ = k, p £ V-d i: 

Q € Pt> 2 ) bl ~ M (In the case 1 £ V\ C\T> 2 , we also assume that (p, q) 1 x V\). 
Using these notations, we define the factoring problem and its infeasibility. 

Definition 1. The integer factoring problem is a problem which for given d, g, 
V\, V 2 , and N Qo(l k ), finds the factors ( p,q ) of N. The integer factoring 
problem is said to be infeasible if for any probabilistic polynomial time (PPT) 
algorithm A, any constant c and all sufficiently large k, 

Pr [. A(l k ,N,d,g,V 1 ,V 2 ) = (p,q ) [ N £ Go(l k )\ < ^ 


Definition 2. A integer factoring PPT algorithm A is said to ( t,e)-break N £ L 
Qo{l k ) if for any k £ N, after at most t(k) processing time, it factors N with 
probability at least e(k). The set of outputs ofQo is ( t , e) -secure if there exists no 
integer factoring PPT algorithm which ( t,e)-breaks . 
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We next define the one-wayness for the functions defined in Section 2.1 as 
follows: 

Definition 3. The notations d, g, V i, V 2 and Go are the same as in Defini- 
tion 1. The powering function f is said to be one-way if for any PPT algorithm 
A, for any constant c and any sufficiently large k, 

Adv(A) = 


Pr 

A(l k , N,d,g,D 1 ,D 2 ,y) = x' £ f 1 (y) 

N£-Go(l k )-,' 

x e— 



V £ f(x) 


Definition 4. A PPT algorithm A is said to ( t , e) -break f if for any k £ N, 
after at most t(k ) processing time, it calculates a preimage of f with probability 
at least e(k). f is ( t , e)-secure if there exists no PPT algorithm which ( t , e) -breaks. 

Let ip be the Euler totient function. Under these definitions, we can prove 
the following theorem, whose proof can be found in Appendix A. 

Theorem 1. Fix integers d > 1 and g > 2, and assume that all divisors of g can 
be efficiently computed. Fix non-empty sets V\,V 2 c Div(g(), Xfi U V 2 ^ {1}, 
and for any e± £ T>\ and e 2 £ T> 2 , assume that {S e | gcd(ei,e 2 ) ^( e ) 2 }/ e i e 2 is 
small. Moreover, we put 

r= min (l 

ei€X>i,e 2 eI >2 1 eie 2 

(Notice that by the assumptions, r is close to 1) Let Go be the instance generator 
for the above parameters, and N Go{^ k )- If the integer factoring problem for 
N is infeasible, then the function f : 7A N — >• 1A N , f(x) = x 9 is one-way. More 
precisely, if the outputs of Go are (ti,ei) -secure, then f is (tf,ef) -secure, where 

ti(k) = tf(k) + 0(k 3 ), ei{k) = TCf{k). 


According to the argument in Section 2.3, the inverse of / can be calculated 
using the factors of N, hence, together with the argument in this section, it is 
proven that the equivalence between the infeasibility of the factoring problem 
on N and the one-wayness of /. 


2.3 Efficient Decryption Algorithms 

In this section, we consider an efficient algorithm that can be used to calculate 
the preimage of the powering function considered in Section 2.1, (1) when the 
prime factors p and q are known. In the case d > 1, the conventional method 
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( e.g . [7], [18]) needs the modular inverse to be calculated. We now propose an 
algorithm that does not need the modular inverse to be calculated under some 
conditions on p, q and g. The proofs for the following are in Appendix B. The 
notations p, q, d, N and g are the same as in Section 2.1. Let z = p _1 mod q. For 
y £ we put y p = y mod p, y q = y mod q and y% = y mod p l q (1 <i< d). 

Moreover, let x p be a g-th root of y p in Z*, that is x 9 = y p ( rnodp) . Similarly, 
let x q be a g- th root of y q : a;® = y q mod q. Then, by the Chinese remainder 
theorem, a g- th root of y modulo pq is given by the following lemma. 

Lemma 2. By the isomorphism Z p x Z q —>■ Z pq , ( x p , x q ) £Z p xZ q corresponds 
to an element x\ £ Z pq , which is given by x\ = x p +p (( x q — x p )z mod q), and 
x\ is a g-th root of y\ (= y mod pq). 

By using the g-th roots of y £ (Z* N ) 9 in modulus p, q and pq, we can calculate 
the g-th root of y in the high-power modulus (p l q, i = 2, 3, . . . , d) as we will see 
in the following. 

Lemma 3. The notations are the same as in the above. Let r] y = (ga:® -1 ) -1 mod 
p and Xi (1 < i < d) be a g-th root ofyi ( modulo p l q) such that Xi = x p (mod p). 
Then a g-th root a:, + i of t/j + i modulo p t+1 q such that Xi + i = x p mod p is given 
by x i+ i = Xi + Vy(yi+i - xf) mod p l+1 q. 

Though it needs to calculate a modular inverse modulo p for rj y , under some 
condition, we can have r) y efficiently. 

Lemma 4. Assume that there exists some integer 0 < a < p — 1 depending 
only on p and g such that x p = y p modp, then we have (a:® -1 ) modp = 
g“ -1 mod p. 

This follows from g“ -1 • a;® -1 = (x p ■ y ~ x ) • (y p ■ x~ - 1 ) = 1 (mod p). Thus, 
once we obtain (a;® -1 ) 1 mod p, precalculating g _1 mod p, we have r] y = g -1 
(a;® -1 ) 1 mod p by single modular multiplication. 

Let us next consider the conditions in Lemma 4. That is, let us consider the 
relation between p and g so that there exists an integer a which depends only 
on p and g, such that for any a £ (Z*) 3 , a a is a g-th root of a ((u“)® = a). 

Proposition 1. Letp be a prime, 1 < g < p— 1 be an integer. Then there exists 
an integer a = a(p, g) (1 < a < p — 1) which depends only on p and g, and 
satisfies (a“)® = a for any a £ (Z*) 9 if and only if gcd(g, (p — 1) /go) = 1 where 
go = gcd(g,p — 1). Here, a is given by 

a = a(p, g) = (1 + u{(p - l)/g 0 }) /g, where u = (-(p - l)/g 0 ) _1 mod g. 

Using the above discussion, if for p and q, g satisfies the conditions in 
Lemma 1, we have an efficient algorithm which calculates a g-th root (Note 
that using a g-th root, all g-th root are given by (2)). 
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Corollary 1. Let p, q be prime integers. Let d> 1 be an integer, and N = p d q. 
Let g > 1 be an integer which satisfies g < min (p — 1, q — 1) and gcd(<?, (p — 
1)/ gcd(g,p— 1)) = gcd(g, (q— 1)/ gcd(g,q— 1)) = 1. Moreover, letz = p~ l mod q, 
7 = </ _1 mod p. For any y £ (fL* N ) 9 , put y p = y mod p, y q = y mod q, y* = 
y mod p l q (1 <i<d), ya = y- Then by calculating 

x 0 = mod p, x p = y p x 0 mod p, 

p = wxo mod p, x q = yq^’ 9 ^ mod q, 

x\ = x p +p (( x q — x p )z mod q ) , 

and for i = 2, 3, . . . , d, Xi = 27-1 + p(yi — x 9 _ x ) mod p l q, we have that x := xj 
is a g-th root of y (x 9 = y mod N). 


2.4 Choices of Cryptographically Suitable Powering Functions 

We will discuss the optimal choice of parameters g,g p ,g q and d suitable for 
cryptography in the following. 

Efficiency must be considered, when we apply powering functions that can 
be proven to be one-way under the assumption of infeasibility of the integer 
factoring problem to cryptosystems. The cost of calculating the image will be 
lower if the powering index is smaller. Moreover, if the number of preimages is 
larger, then there will be some inconvenience as previously mentioned. 


Table 1. Parameters for 2 < g < 8. 


2_ 

“3" 


5 


| 


2 2 
T~ 3“ 

3 3 
2 4 

4 4 
1 5 

5 5 


9p ' 9q 

4 
3 
9 
8 

16 

5 

25 


.500 

.667 

.444 

.750 

.625 


.320 


9 

6 


7 


8 




I 


~2~6 12 

6 6 36 

17 7 

7 7 49 

2 8 16 
4 8 32 

8 8 64 


.833 

.722 

T857" 

.245 

.875 

.813 

.656 


Table 1 shows all possibilities of g p , g q for relatively small g’s. Note that cases 
where p and q are replaced have been omitted, and for even g, the parities of 
g p and g q (even or odd) coincide. Note also that the case (g, g p . g q ) = (2,2,2) 
(and d = 1) corresponds to the Rabin function. The value g p ■ g q indicates 
that the g - th power function / is a ( g p ■ g q )- to-1 mapping and is desired to 
be small, r is the constant coefficient appearing in the reduction probability of 
Theorem 1 (See also Appendix A for more details). Although a larger value is 
desired, it is sufficient if it is greater than 0.5. From this table, we can conclude 
that the case (g,g p ,g q ) = (3,1,3) (or (g,g p ,g q ) = (3,3,1)), that has smallest 
g p ■ g q , is optimized for cryptosystems (ratio is 0.667 and sufficiently large). 
Moreover, as we will see in Section 3.4, the p d q - type modulus (d > 2) makes the 
preimage calculation more efficient using the proposed algorithm in Section 2.3. 
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Table 2. (3,l,3)-type and other typical functions. 


type 

map 

condition 

p'Vtype modulus 

assumption for 

(3> 9pi9q) 

9p9q : 1 

for p, q 

d= 1 

| d> 2 

one-wayness 

feU) 

1:1 

symmetric 

RSA 


RSA 

(3,1,3) 

3:1 

asymmetric 

— 

F 

IF 

(2,2,2) 

4:1 

symmetric 

Rabin 

HIME 

IF 


Thus letting F (= /jv, 3) be the (3,l,3)-type function with the p d q - type modulus 
(d > 2), we can conclude that F is most suitable for cryptography. Table 2 sums 
up the positions of F and other typical functions including RSA functions. In 
the table, IF stands for integer factorization. 

3 Application to Digital Signatures 

As cryptographic applications of the arguments in the previous sections, we pro- 
pose digital signature schemes using the cubic function considered in Section 2.4 
and ensure the advantages of the proposed cubic function, especially in terms of 
efficiency (Section 3.4). 

3.1 Basic Notation 

We start by recalling the basic notion of digital signature schemes according to 
[3,6,12], 

Definition 5. A signature scheme (Q,S,V) is defined as follows: 

The key generation algorithm Q is a PPT algorithm which has input l k and 
outputs a pair of matching public and secret keys ( pk , sk). 

The signature generation algorithm S takes a message M to be signed and 
public and secret keys (pk, sk), and outputs a signature x = S p k,sk(M). 

The signature verification algorithm V takes a message M, a candidate signa- 
ture x' and public key pk, and outputs a bitV p k(M,x r ), equal to 1 if the signature 
is accepted and 0 otherwise. We require that if x = S p k, s k, then V p k(M,x') = 1. 

On the security for signatures, we only deal with existential unforgeability 
under an adoptive chosen message attack which is the strongest notion([3,6]). 
In this scenario, a forger of a signature can dynamically obtain signatures of 
messages of his choice and attempts to output a valid signature, where a pair of 
message and signature (M, x) is said to be a valid forgery if V p k ( M , x) = 1 and 
the signature of M was never requested by the forger. 

Most signature schemes use hash functions, and the security is proven under 
random oracle models, that is the models which is appropriately replaced the 
hash functions with random oracles([l]). In these models, forgers are allowed 
to access to random oracles. The resistance against these attacks is defined as 
follows: 
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Definition 6. A forger A (a PPT algorithm) is said to (t,qh,q s ,e) -breaks the 
signature scheme ( G,S , V) if after at most qh(k) queries to the hash oracles, q s (k) 
signature queries and t(k) processing time, it outputs a valid forgery with proba- 
bility at least e(k ) (for any k £ N). A signature scheme (G,S, V) is (t,qh,q s ,e)- 
secure if there exists no forger who (t,qh,q s ,e) -breaks the scheme. 


3.2 Proposed Signature Scheme: Scheme 1 

We now propose new signatures constructed with the (3,l,3)-type cubic residue 
function F in Section 2.4 (in case d = 2). These are proven to be secure under 
the assumption of integer factoring infeasibility. 

First, we will consider the (full domain) hash & sign (F-FDHS) signature 
which is most fundamental. Fix an integer a > 1 (regard a as a system parame- 
ter). 

Key Generation 

Generate randomly same length distinct prime numbers p and q such that 
p = 2 mod 3, q = 1 or 7 mod 9, and choose a non-cubic residue a modulo q, 
put N = p 2 q. Let H : {0, 1}* ->■ h* N be a hash function. Then output the public 
key ( N , H) and the secret key (p, q) ( a is open to public as a system parameter). 

Signature Generation 

1. For a message M, calculate w = H(M). 

2. Let y be one of w, aw, a 2 w which is a cubic residue. 

3. Calculate a cubic root x of y {x e F~ 1 (y)). 

4. Output x and end. 

Signature Verification 

1. For the message M, calculate w' = H(M). 

2. Calculate y' = x 3 mod N. 

3. If y' coincides one of v/ , aw', a 2 w', then output 1, else output 0 and end. 

Remark 1. Note that from Lemma 1, we can easily seen that one of w, aw or a 2 w 
is a cubic residue, and we can determine this by calculating \p , 3 (this function 
is also a powering function). Therefore, we do not have to recompute the hash 
value H(M), and for a given message m we can uniquely generate the signature 
x of m. Kurosawa et al. proposed a similar technique for the Rabin signature 
[9], 


We can prove that F-FDHS is secure over the random oracle model (the hash 
function H is replaced to the random oracles) under the assumption of integer 
factoring infeasibility. The proof is basically similar to that of [9] . 

For the fixed a and a positive integer k, let 


N k = \N = p 2 q\ 


p, q : primes, |p| = \q\ = k, p mod 3 = 2, 
q mod 9 = 4 or 7, a G Z* \ (Z*) 3 
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and put Af = (J fc Afk- Then we can prove the following theorem, whose proof can 
be found in Appendix C. 

Theorem 2. If Af is ( f/ , e^-secure, then F-FDHS is ( t , q^j , q s , e)-secure, where, 
tm = t(k) + ( q H + q s + 2 )0(k 3 ), ej{k) = (2/3 )e(k). 

In the following, combining the idea in Lemma 1 and Corollary 1, we propose 
an efficient algorithm, denoted by F, which for given w € h* N , determines which 
of w, aw or a 2 w is a cubic residue, and then calculates its cubic root. The validity 
of the algorithm can be found in Appendix D. 

Let 7 = (p+l)/3 and 2 = p _1 mod q. Let (3 P = (2p— 4)/3 and /3 q = (2q— 8)/9, 
C = a^- 1 )/ 3 mod q if q = 4 mod 9, /3 q = (q - 7)/9, C = a f 2 ^” 1 ))/ 3 mod q if 
q = 7 mod 9. Finally, let b = aP q+1 mod q. 

Algorithm <P 

Input: N, a, p, q, f3 p , f3 q , b, C, 2:, 7 and w e z* N . 

Output: x e h* N s.t. x 3 mod N G {w, aw mod N, a 2 w mod N}. 

Step 1. Check the cubic residuosity modulo q and calculate a cubic root 
Step 1.1. w q = w mod q. 

Step 1.2. w\ = w q q mod q. 

Step 1.3. x q = WiWq mod q. 

Step 1.4. W 3 = W 1 X 2 mod q. 

Step 1.5. if W 3 ^ 1 then 

Step 1.5.1. Set x q <— b q x q mod q, w <— aw mod N. 

Step 1.5.2. If W 3 ^ C then set x q 4 — b q x q mod q, w <— aw mod N. 

Step 2. Calculate a cubic root modulo p 
Step 2.1. w p = w mod p. 

Step 2.2. xo = w p p mod p. 

Step 2.3. x p = w p Xo mod p. 

Step 2.4. 77 = 7x0 mod p. 

Step 3. x\ = x p +p{{x q — x p )z mod q). 

Step 4. x = xi + r)(w — xf) mod N. 

3.3 Other Constructions: Schemes 2 and 3 

In the following, we present two additional constructions of digital signatures 
based on the generalized powering function. 

Scheme 2. Let us consider a scheme F-2HS (2-hash and sign) that has been 
slightly changed from scheme 1 : F-FDHS. Similarly, fix an integer a > 1 and let 
hi, k 2 be positive integers such that £7 + k 2 < |iV| (modulus length), and regard 
these as system parameters in addition to a in scheme 1. The key generation 
is the same as for scheme 1 except for letting H : {0, 1}* — > {0, l} fcl and G : 
{0, l} fcl -4 {0, l} fe2 be hash functions {H: compressor, G: generator). The public 
key is ( N , H, G), and the secret key is (p, q). 
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Signature Generation 

1. For a message M, calculate wi = H(M), W 2 = G(wi) and let w = u>i||w 2 - 

2. Let y be one of w, aw, a 2 w which is a cubic residue. 

3. Calculate a cubic root x of y (x G F~ 1 (y)). 

4. Output x and end. 

Signature Verification 

1. For M, calculate w[ = H(M), w' 2 = G(w[) and let w' = w'^w^. 

2. Calculate y ' = x 3 mod N. 

3. If y' coincides one of w', aw', a 2 w', then output 1, else output 0 and end. 
This scheme can also be proven to be secure over the random oracle model 

(the hash functions H and G are replaced with random oracles) under the factor- 
ing assumption. Let J\f be the same as in scheme 1. We then have the following: 
Theorem 3. If N is -secure, then F-2HS is {t,qH,Qc; ,Qs ,e) -secure, where 

tm = t(k) + ( q H + q s + 2 )0(k 3 ), et{k) = (2/3 )e(k). 

This scheme is nothing more than a version of PSS([3]) without the random 
numbers part, and is not essentially different from scheme 1. However, with 
respect to implementation, we bother with the construction of hash functions 
with long output using some short output functions ( e.g . [17]), and in most cases, 
it is inefficient when the hash function deals with very long messages. 

Scheme 3. Finally, we will consider a message recovery signature scheme F-MR 
(message recovery) based on scheme 2 : F-2HS. For this scheme, the message 
length is restricted to \M\ = k 2 - The key generation and signature generation 
are the same as in scheme 2, except that we set uj 2 = G(w i) © M in Step 1 of the 
signature generation (Fig. 1). The signature verification and message recovery 
are as follows: 

Signature Verification 

1. Calculate y' = x 3 mod N. 

2. For i = 0, 1, 2, 

2.1. Calculate y* = Wi^\\w 2 1 i = a^y 1 mod N (|wi,i| = fci, \w 2 , i\ = k 2 ). 

2.2. Calculate Mi = w 2 ,i © G{w\ ti ). 

3. If for some i, then output 1 and Mi, else output 0 and end. 

Similarly for this scheme, we can prove following: 

Theorem 4. If N is ( f/ , ei)-secure, then F-MR is (t, qH, qG, Qs, e)-secure, where 

ti(k) = t(k) + ( q H + q s + 2 )0(k 3 ), ej(A;) = (2/3 )e(k). 

Similar to scheme 2, this scheme is nothing more than a version of PSS-R([3]) 
without the random number part, and this makes the message embedded in the 
signature longer than that of PSS-R. 

As we have seen, the proposed schemes need no trial and error in hashing 
messages and in finding the cubic residue. This has a good effect on efficiency 
especially with huge messages. In what follows, we discuss the advantages in 
efficiency of the proposed schemes in detail. 
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| w t =H(M) ||~ w 2 =G(w i) | 


| w x =H(M) | 






Scheme 2: F-2HS Scheme 3: F-MR 

Fig. 1. Paddings for Schemes 2 and 3. 


| G(w t ) ~| 


3.4 Efficiency Consideration 

In this section, we estimate the efficiency of signature schemes 1,2 and 3 that 
are introduced in the previous sections. 

The proposed schemes deal with the modulus of N = p 2 q (|p| w \q\). In order 
to fairly compare the proposed schemes with the RSA signature, we estimate the 
efficiency of a fast variant of RSA signature, namely Multi-Prime RSA with N = 
pqr (|p| « \q\ ~ |r|) [13]. We consider the efficiency of signature generation which 
has higher costs in comparison with signature verification. Note that Multi-prime 
{pqr- type) Rabin’s scheme has the same efficiency as RSA signature in signature 
verification. 

The efficiency of public-key cryptosystems and digital signatures is frequently 
estimated by the number of modular multiplications. Let us introduce the fol- 
lowing notations to represent the amount of calculation. Let Mul(t) denote the 
amount of calculation for an integer multiplication of t- bit integers. Similarly, 
let RMul(t) be that for a modular multiplication with a t-bit modulus, and 
Red(.s, t) that for a reduction s-bit integer with a f-bit modulus. Also, let RP(t) 
be the number of t-bit modulus modular multiplications for powering with a 
t-bit exponent. 

In Schemes 1,2 and 3, the steps for checking the cubic residuosity and cal- 
culating a cubic root (function in Section 3.2), comprise a large percentage 
of signature generation. Thus we consider the efficiency of <P. Let l be the bit- 
length of modulus N = p 2 q (\p\ ss \q\). Signature generation needs the following 
amount of calculation: 

(8 + 2 • RP(*/3)) • RMul(£/3) + 3 • RMul(^) + 2 • Red(£, t/3) + Mxd(£/3). 

On the other hand, let l be the bit-length of Multi-Prime RSA modulus 
N = pqr (|p| rs \q\ « |r|), then for the generation of Multi-Prime RSA signature 
[13], it needs 

(1 + 3 • RP(*/3)) • RMul(£/3) + 3 • Red(^, t/S) + Mul(£/3). 

We have approximately RMul(t) w n 2 ■ RMul(f/n), Mul(t) w (1/2) • RMul(t). 
Moreover, if we use the Montgomery method [11] for modular reduction, then we 
have Red(t, t/n) « ((n + l)/n 2 ) ■ RMul(t). We set a standard to the number of 
modular multiplication on 1024-bit modulus: 1 = RMul(1024). We also assume 
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that a f-bit modular multiplication costs £(t) := (t/1024) 2 . Then the amount of 
calculation for the signature generation of the proposed and RSA schemes is 

Proposed schemes : {29/6 + (2/9)RP(f/3)} £(£), 

Multi-Prime RSA : {3/2 + (l/3)RP(£/3)}f(£). 

For modular powering, we adopt the basic binary method. If we assume that 
half the bits in the exponent are non-zero, then this method needs 3t/2 modular 
multiplications with a f-bit modulus (where we also assume that modular squar- 
ing and modular multiplication have the same amount of calculation). Taking 
all this into account, the number of modular multiplications in the proposed 
schemes and the RSA signature and their ratio are as follows: 

Proposed Schemes : (29/6 + 1/81) £(£), Multi-Prime RSA : (3/2 + £/36) 
Multi-Prime RSA/Proposed scheme ~ 1.71. 

Thus, we can say that the proposed schemes are considerably more efficient in 
signature generation than Multi-Prime RSA signature. Similarly, we can see that 
the proposed schemes are three or more times more efficient than the pg-type 
RSA-CRT signature. 


4 Summary 

We studied modular powering functions suitable for cryptography. In particular, 
we proposed a 3-to-l functions, which can be proven to be one-way under the 
factoring assumption. The three ambiguities of the kernel can easily be distin- 
guished by a non-cubic residue element. For the p d q - type modulus (d > 2), we 
proposed a more efficient method of calculating preimages for these functions, 
which requires no modular inversion algorithm for Hensel lifting. Thus we can 
say that the proposed functions are optimized in terms of security and efficiency. 

As cryptographic applications, we also proposed new digital signature 
schemes which utilize the new functions with d = 2. Finally, we showed that the 
proposed schemes are about 1.71 times more efficient than Multi-Prime RSA 
with the same length modulus (more than three times faster than the pq - type 
RSA-CRT signature). 
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A Proof of Theorem 1 

We begin with the next lemma. 

Lemma 5. If we identify Zn with integers between 0 and N— 1. then as integers, 
for 0 <i < g p and 0 < j < g q , the followings hold. 

S cd (^(Cp,g> !) - h N ) = gcd(0(l, Cg, g ) - 1) A) = p d . 

Proof. Since <j>(Cp, g , 1) 1 mod p d = C, pg — 1/0, and ^(Cp, s i 1) — 1 mod q = 

1 — 1 = 0, we can see that the greatest common multiple of this and N is equal 
to q. Similarly we can prove the second equation. 

Let us denote the set of roots of unity in Lemma 5: 

Hn, 9 = 1) | 0 < i < g p } U {0(1, Cfj) | 0 <j<g q }c Z N , g . 

Moreover, let us define Gjv, g as follows: 

Gjv.g = {x £ Zjg >g | x e £ H N , g for some divisor e of g} . 

From the definition, i?jv,g C Gjv, g . Then the number of elements in Gjv, s , 
denoted by gN, g , is given by following. 

Lemma 6. g N , g = g p g q - E e | gcd( Sp) g 3 ) ^( e ) 2 - 

Proof. <t>(Cp,giCq, g ) € Z N , g is in Gn,() if and only if the order of p-part of 
<P(Cp >g , C q, g ) is different from that of g-part of it. Hence, elements in Z N)S \ GN, g 
are which have same order in p-part and g-part, in this case, the orders are divi- 
sors of gcd (g p ,g q ). For each divisor e\ gcd (g p ,g q ), the number of elements which 
have the order of p and g-part e is equal to <p(e) 2 , which gives the desired result. 

Proof of Theorem 1: We now give the proof of Theorem 1. Under the as- 
sumptions, let us put g p = gcd (g,p — 1), g q = gcd (5 , q — 1), then / is g p g q : 1 
( g p g q > 1) function (Of course, the adversary does not know p, g, but she knows 
that / is not injective). We assume that there exists a PPT algorithm A which 
computes a preimage of /. That is, A has input k, d, g, 'D 1 , T> 2 , N, y, and it 
outputs x' in f~ 1 (y) = [x £ Z* N \ x 9 = y} with non-negligible probability. Using 
A, we construct an algorithm M which factors N as follows: 

Input of M : k, d, g, D 1, D 2 , N 
Output of M : a prime factor of N 

1. Choose randomly x £ Z* N (x / 1). 

2. Calculate y = x 9 mod N. 

3. Input (k,d,g,Di,D 2 ,N,y) to A. 

4. For an output x ’ of A, if y / x' 9 mod N, then Fail. 

5. Calculate z = x'/x mod N. 

6. For each divisor e of g, calculate w = gcd ((z e — 1 mod N),N), if w is 
non-trivial divisor of N, then output w and end, otherwise Fail. 
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In Step 6, it outputs non-trivial divisor w if and only if z G Gw, g , hence 
the success probability in Step 6 is equal to gN, g /g P g q • If we put the success 
probability of A (that is, the probability such that it does not Fail in Step 4) to 
Adv(A) = e, then, by Lemma 6, the final success probability of M, namely, the 
probability such that M factors N, is equal to 

gN, g _ 9p9<i ~ X) e | gcd( Sp , Sg ) V( e ) 2 

g P g q g P g q 

which is non-negligible by the assumptions. 

B Proofs of Lemmas in Section 2.3 

Proof of Lemma 3: By the assumptions, we have Ui+i — x\ mod p l q = y% — 
x 9 mod p l q = 0. Hence x l+ \ mod p = aq mod p = x p . Moreover, x? +1 = xf + 
gx 9 ~ 1 r] y (yi + i — x\ ) mod p l+1 q, and by the assumption on aq and the definition 
of T] y , we have gx? -1 ^ mod p = gx 9 ^ l ri y mod p = 1 mod p. Therefore, we have 
x? +1 mod p l+1 q = x 9 + y i+1 - x 9 mod p l+1 q = y i+1 . 

Proof of Proposition 1: Let a be a generator of the cyclic group (Z*) 9 . The 
order of a is equal to (p — l)/go- If there exists an integer a which satisfies the 
condition, we have (a 01 ) 9 = a, thus it must be a ■ g = 1 (mod (p — l)/go). That 
is , g must be prime to (p — 1 )/go- Conversely, if gcd(g, (p — l)/go) = 1, then 
let a be as above, it is directly checked that it satisfies the condition. As the 
order of a is (p — 1 )/go, we have a 019 = a 1+u Kp _1 )/so} = a ( mo d p). Moreover, 
a = { — {p — 1 )/go}~ 1 m od g, hence the numerator of a is divided by g, thus a 
is an integer. Since u < g — 1, go < g < p — 1, we have 1 + u{(p — 1) /fl'o} < 
1 + (g- l){(p- l)/5o} < g(p-f)/go < g(p-l). Thus a satisfies 1 < a < p- 1. 

C Proofs of the Security of Proposed Schemes 

Proof of Theorem 2: Let A be a forger which (f, q h ■ q s ■ e)-breaks the signature 
scheme F-FDH. The input of A is a public key ( N , a) . A has oracle access to 
random oracle H. Then we construct the factoring algorithm I which can (t/, ej)- 
break by using A. The input of I is N e Af. I gives A the public key N (we 
assume that I and A know a as a system parameter). After this, A begins to 
make sign queries and hash queries. For these queries, I behaves as follows. 

If A makes a sign query without having made the corresponding hash query, 
I at once goes ahead and makes the hash query itself, and then corresponds for 
sign query as described below. Similarly for the output forgery, thus we may 
assume that if A makes a sign query or outputs a forgery, then it has already 
made corresponding hash query. Hence, effective number of hash queries is at 
most q(k) = qii(k) + q s (k) + 1. 

To answer queries, I makes the query-mapping table ( Q , A) as follows: Start 
with Q = A = (j> (empty set). Suppose A makes a hash query rn. 
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If m $ Q, then I chooses randomly r Gr Z* n and i G {0,1,2}, returns 
//(to) = r 3 /a 1 mod N, and sets Q = Q U {m}, A = A U {(to, r, i, //(to))}. 

If m G Q, then / finds corresponding ( m,r,i,H(m )) G A and returns 
H(m)(= r 3 /a 1 mod IV). 

Next, suppose that A makes a sign query to. As mentioned above, we can 
assume that there was already a hash query m, hence there exists corresponding 
H(m)) G A. I finds this and returns r as the signature for to. 

Finally, suppose that A outputs a forgery (to, s). If s is valid, then for some 
i, a z H(rh) = s 3 mod N. N is chosen randomly and H is random from our con- 
struction of I. Hence A can not distinguish the behavior of / from the original 
game, thus A succeeds this simulation with original success probability e. 

On the other hand, by the assumption, to G Q, thus there exists the cor- 
responding (to, r, i, H(m)) G A and it holds r 3 = s 3 mod N. Suppose that s is 
valid. From the argument in Theorem 1, using the above equations (if f s), 
a non-trivial factor of N can be calculated with success probability 2/3. Thus / 
succeeds in factoring N with probability e/ = (2/3) e. 

Let to(k) be processing time for a modular multiplication with fc-bit modulus. 
I carries out 3-modular multiplications for each hash query, hence also from 
Theorem 1, the processing time t' of I is given by 

t' < t + 0 (k 3 ) + 3 {(lH + Qs + l)fo(fc) 

= t+ ( qh + Qs + 2)0(fc 3 ). 

Proof of Theorem 3, 4: Theorem 3 can be proven just like Theorem 2 except 
for the behavior of simulator I. 

First, I makes the query mapping table ( Qh,A h ), ( Qg,Ag ) starting with 
empty sets. Suppose the forger A makes a //-query m. If m 0 Qh, then I chooses 
r Gr Z* n and i G {0,1,2} calculate y = u?i||ty2 = r 3 / a 1 mod N (|iwi| = fci, 
|«>2| = k 2 ) and sets Qh = Qh U {to}, A h — A H U w 2 )}, Qg = 

Qg U {«q}, Aq = Aq U {(101,102)}- Finally, I returns //(to) = w±. If to G Qh , 
then I finds corresponding (m,r,i,wi,w 2 ) G Ah and returns //(to) = w\. 

When A makes a G-query w\, if W\ G Qg, then I finds corresponding 
(101,102) G Aq and returns G(io 1) = w 2 , else I generates randomly r 2 , \r 2 \ = k 2 , 
sets Qg = Qg U {101}, Aq = Aq U {(101, r2)} and returns G(ioi) = r 2 . 

Finally, suppose that A makes a sign query to. We can assume that to G 
Qh, hence I can finds corresponding (to, r, 1,101,102) G Ah and returns r as a 
signature for to. 

Then, as in Theorem 2, we can see that I can factor the modulus using the 
forgery outputted by A with the indicated probability and processing time. 

The proof for Theorem 4 is similar as in Theorem 3, so we omit the detail. 
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D Validity of the Algorithm ^ 

We can easily obtain the algorithm ( I> from Corollary 1 and the following lemma. 

Let a £ Z* be a non-cubic residue and fix. In each case q mod 9 = 4 or 7, 
define the followings: in case of q mod 9 = 4 , a = (2g + l)/9, £ = a^ 9-1 ^ 3 mod q, 
and in case of q mod 9 = 7, a = (q + 2)/9, £ = a^ 2 ^ -1 ^/ 3 mod q. Moreover, put 
j3 = a — 1 and b= a a mod q. 

Lemma 7. For w 6 Z*, put w 3 = w & mod q, w-2 = wi ■ w mod q and w 3 = 
w\ ■ W2 mod q. Then w 3 £ (1,£, £ 2 }, and we have followings: w 3 = w m od Q 
if w 3 = 1, ( bw2 ) 3 = aw mod g if w 3 = C, and (b 2 w 2) 3 = a 2 w mod 5 otherwise 

(w 3 = c 2 ;. 

Proof. By the assumptions and Lemma 1, £ is a non-trivial cubic root of unity. 
Note that \q 3( a ) = C {Q m °d 9 = 4), = (q mod 9 = 7). Moreover, in case 
of q mod 9 = 4, w 3 = M ,2( g -4)/9+2(2 g +i)/9 = w 2(,-i)/3 = Xg 3 ( w ) 2 , i n case of 
q mod 9 = 7, w 3 = w (9-7>/9+2( 9 +2)/9 = w {q- 1)/3 _ Xq 3 (w). Hence, by Lemma 1, 
we have w 3 £ (1, (, C 2 }, and vj 3 I means that vj is a cubic residue. In this case, 
by Lemma 1, W2 = w a is a cubic root of w. In case of w 3 = C if q mod 9 = 4, 
then, by the above, we have Xq,3 ( w ) = C 2 > an< l Xg,-i( a ' w ) = C ■ C 2 — h moreover 
since bw2 = ( aw) a mod q, by Lemma 1, we have the result. In case of q mod 9 = 7 
or w 3 = C 2 ) it can be shown similarly. 

E Decryption of RSA Function 

We briefly recall that the decryption algorithm for Multi-Prime RSA [13]. 

Let p,q,r be distinct prime numbers, N ■= pqr, z q = p _1 mod q, and z r = 
(pg) -1 mod r. Let 1 < d < N be an integer such that gcd(d, (p— l)(g— l)(r— 1)) = 
1 and d p = d mod p, d q = d mod q, d r = d mod r. In the case of p, q. r are known, 
for any C £ Z* N , we can calculate M = C d mod M (this is the preimage of C by 
the RSA function x e mod N, where e = d~ x mod (p— l)(g — l)(r — 1)) as follows: 


Step 1 . C p = C mod p, C q = C mod q, C r = C mod r. 

Step 2. M p = Cp p mod p, M q = C q q mod q, M r = Cf: r mod r. 
Step 3. M pq = M p + p((M q - M p )z q mod q). 

Step 4. M = M pq + (pq)((M r - M pq )z r mod r). 

Step 5. Output M and end. 
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Abstract. This paper introduces and makes concrete the concept of 
certificateless public key cryptography (CL-PKC), a model for the use of 
public key cryptography which avoids the inherent escrow of identity- 
based cryptography and yet which does not require certificates to guar- 
antee the authenticity of public keys. The lack of certificates and the 
presence of an adversary who has access to a master key necessitates the 
careful development of a new security model. We focus on certificateless 
public key encryption (CL-PKE), showing that a concrete pairing-based 
CL-PKE scheme is secure provided that an underlying problem closely 
related to the Bilinear Diffie-Hellman Problem is hard. 


1 Introduction 

The main difficulty today in developing secure systems based on public key 
cryptography is not the problem of choosing appropriately secure algorithms or 
implementing those algorithms. Rather, it is the deployment and management of 
infrastructures to support the authenticity of cryptographic keys: there is a need 
to provide an assurance to the user about the relationship between a public key 
and the identity (or authority) of the holder of the corresponding private key. 
In a traditional Public Key Infrastructure (PKI), this assurance is delivered in 
the form of certificate, essentially a signature by a Certification Authority (CA) 
on a public key [1]. The problems of PKI technology are well documented, see 
for example [16]. Of note are the issues associated with certificate management, 
including revocation, storage and distribution and the computational cost of 
certificate verification. These are particularly acute in processor or bandwidth- 
limited environments [9]. 

Identity-based public key cryptography (ID-PKC), first proposed by Shamir 
[22] , tackles the problem of authenticity of keys in a different way to traditional 
PKI. In ID-PKC, an entity’s public key is derived directly from certain aspects of 
its identity. Private keys are generated for entities by a trusted third party called 
a private key generator (PKG). The first fully practical and secure identity- 
based public key encryption scheme was presented in [5]. Since then, a rapid 
development of ID-PKC has taken place, see [18] for a brief survey. It has also 
been illustrated in [8,18,24] how ID-PKC can be used as a tool to enforce what 
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might be termed “cryptographic work-flows”, that is, sequences of operations 
(e.g. authentications) that need to be performed by an entity in order to achieve 
a certain goal. 

The direct derivation of public keys in ID-PKC eliminates the need for cer- 
tificates and some of the problems associated with them. On the other hand, 
the dependence on a PKG who uses a system-wide master key to generate pri- 
vate keys inevitably introduces key escrow to ID-PKC systems. For example, 
the PKG can decrypt any ciphertext in an identity-based public key encryption 
scheme. Equally problematical, the PKG could forge any entity’s signatures in an 
identity-based signature scheme, so ID-PKC cannot offer true non-repudiation 
in the way that traditional PKI can. The escrow problem can be solved to a 
certain extent by the introduction of multiple PKGs and the use of threshold 
techniques, but this necessarily involves extra communication and infrastruc- 
ture. Moreover, the compromise of the PKG’s master key could be disastrous 
in an ID-PKC system, and usually more severe than the compromise of a CA’s 
signing key in a traditional PKI. For these reasons, it seems that the use of ID- 
PKC may be restricted to small, closed groups or to applications with limited 
security requirements. 

1.1 Certificateless Public Key Cryptography 

In this paper, we introduce a new paradigm for public key cryptography, which 
we name certificateless public key cryptography (CL-PKC). Our concept grew 
out of a search for public key schemes that do not require the use of certificates 
and yet do not have the built-in key escrow feature of ID-PKC. The solution we 
propose enjoys both of these properties; it is a model for the use of public key 
cryptography that is intermediate between traditional PKI and ID-PKC. 

We demonstrate that our concept of CL-PKC can be made real by specifying 
certificateless encryption and signature schemes. We prove that the encryption 
scheme is secure in a new and appropriate model, given the hardness of an 
underlying computational problem. Further development of our concept and 
more certificateless schemes can be found in the full version of this paper, [2] . 

1.2 Defining CL-PKC 

We sketch the defining characteristics of CL-PKC. 

A CL-PKC system still makes use of TTP which we name the key generating 
centre (KGC). By way of contrast to the PKG in ID-PKC, this KGC does not 
have access to entities’ private keys. Instead, the KGC supplies an entity A with 
a partial private key Da which the KGC computes from an identifer ID 4 for the 
entity and a master key. Note that we will often equate A with its identifier ID4. 
The process of supplying partial private keys should take place confidentially and 
authentically: the KGC must ensure that the partial private keys are delivered 
securely to the correct entities. Identifiers can be arbitrary strings. 

The entity A then combines its partial private key Da with some secret 
information to generate its actual private key Sa ■ In this way, A’s private key is 
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not available to the KGC. The entity A also combines its secret information with 
the KGC’s public parameters to compute its public key Pa- Note that A need 
not be in possession of Sa before generating Pa: all that is needed to generate 
both is the same secret information. The system is not identity-based, because 
the public key is no longer computable from an identity (or identifier) alone. 

Entity A’s public key might be made available to other entities by transmit- 
ting it along with messages (for example, in a signing application) or by placing 
it in a public directory (this would be more appropriate for an encryption set- 
ting). But no further security is applied to the protection of A’s public key. In 
particular, there is no certificate for A’s key. To encrypt a message to A or verify 
a signature from A, entity B makes use of Pa and ID 4 . 

A more formal model for certificateless public key encryption (CL-PKE) 
will be given in Section 3. Much of this model is also applicable for our other 
certificateless primitives. 

1.3 An Adversarial Model for CL-PKC 

Because of the lack of authenticating information for public keys (in the form of 
a certificate, for example), we must assume that an adversary can replace A’s 
public key by a false key of its choice. This might seem to give the adversary 
tremendous power and to be disastrous for CL-PKC. However, we will see that 
an active adversary who attacks our concrete schemes in this way gains nothing 
useful: without the correct private key, whose production requires the partial 
private key and therefore the cooperation of the KGC, an adversary will not 
be able to decrypt ciphertexts encrypted under the false public key, produce 
signatures that verify with the false public key, and so on. 

Of course, we must assume that the KGC does not mount an attack of this 
type: armed with the partial private key and the ability to replace public keys, 
the KGC could impersonate any entity in generating a private/public key pair 
and then making the public key available. Thus we must assume that, while 
the KGC is in possession of the master key and hence all partial private keys, 
it is trusted not to replace entities’ public keys. However, we assume that the 
KGC might engage in other adversarial activity, eavesdropping on ciphertexts 
and making decryption queries, for example. In this way, users invest roughly 
the same level of trust in the KGC as they would in a CA in a traditional PKI 
- it is rarefy made explicit, but such a CA is always assumed not to issue new 
certificates binding arbitrary public keys and entity combinations of its choice, 
and especially not for those where it knows the corresponding private key! When 
compared to ID-PKC, the trust assumptions made of the trusted third party in 
CL-PKC are much reduced: in ID-PKC, users must trust the PKG not to abuse 
its knowledge of private keys in performing passive attacks, while in CL-PKC, 
users need only trust the KGC not to actively propagate false public keys. 

The word roughly here merits further explanation. In a traditional PKI, if 
the CA forges certificates, then the CA can be identified as having misbehaved 
through the existence of two valid certificates for the same identity. This is 
not the case in our schemes: a new public key could have been created by the 
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legitimate user or by the KGC, and it cannot be easily decided which is the case. 
The terminology of [15] is useful here: our schemes achieve trust level 2, whereas a 
traditional PKI reaches trust level 3. However, we can further strengthen security 
against a malicious KGC in our schemes by allowing entities to bind together 
their public keys and identities. Now the existence of two different, working 
public keys for the same identity will identify the KGC as having misbehaved in 
issuing both corresponding partial private keys. Details of this modification can 
be found in Section 5.1. With this binding in place, our schemes do reach trust 
level 3. 

In Section 3, we will present an adversarial model for CL-PKE which cap- 
tures these capabilities in a formal way. The model we present there is a natural 
generalization of the fully adaptive, multi-user model of [5] to the CL-PKC set- 
ting, and involves two distinct types of adversary: one who can replace public 
keys at will and another who has knowledge of the master key but does not 
replace public keys. Given our detailed development of this model, the adapta- 
tions to existing models that are needed to produce adversarial models for other 
certificateless primitives become straightforward. 

1.4 Implementation and Applications of CL-PKC 

Our presentation of CL-PKC schemes will be at a fairly abstract level, in terms 
of bilinear maps on groups. However, the concrete realization of these schemes 
using pairings on elliptic curves is now becoming comparatively routine, after 
the work of [3,6,7,12] on implementation of pairings and selection of curves with 
suitable properties. All the schemes we present use a small number of pairing 
calculations for each cryptographic operation, and some of these can usually be 
eliminated when repeated operations involving the same identities take place. 
Public and private keys are small in size: two elliptic curve points for the public 
key and one for the private key. 

The infrastructure needed to support CL-PKC is lightweight when compared 
to a traditional PKI. This is because, just as with ID-PKC, the need to manage 
certificates is completely eliminated. This immediately makes CL-PKC attractive 
for low-bandwidth, low-power situations. However, it should be pointed out that 
recently introduced signatures schemes enjoying very short signatures [7] could 
be used to significantly decrease the size of certificates and create a lightweight 
PKI. Our CL-PKC signature scheme can also support true non-repudiation, 
because private keys remain in the sole possession of their legitimate owners. 

Revocation of keys in CL-PKC systems can be handled in the same way as 
in ID-PKC systems. In [5] the idea of appending validity periods to identifiers 
ID 4 is given as one convenient solution. In the context of CL-PKC, this ensures 
that any partial private key, and hence any private key, has a limited shelf-life. 

As will become apparent, our CL-PKC schemes are actually very closely 
related to existing pairing-based ID-PKC schemes. One consequence of this is 
that any infrastructure deployed to support pairing-based ID-PKC (e.g. a PKG) 
can also be used to support our CL-PKC schemes too: in short, the two types of 
scheme can peacefully co-exist. In fact, an entity can be granted a private key for 
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a pairing-based ID-PKC scheme and immediately convert it into a private key 
for our CL-PKC scheme. In this way, an entity who wishes to prevent the PKG 
exploiting the escrow property of an identity-based system can do so, though at 
the cost of losing the identity-based nature of its public key. 

Although our CL-PKC schemes are no longer identity-based, they do enjoy 
the property that an entity’s private key can be determined after its public 
key has been generated and used. This is a useful feature. An entity B can 
encrypt a message for A using A’s chosen public key and an identifier ID4 of 
B’s choice. This identifier should contain A’s identity but might also contain a 
condition that A must demonstrate that it satisfies before the KGC will deliver 
the corresponding partial private key (which in turn allows A to compute the 
right private key for decryption) . For more applications of “cryptographic work- 
flows” which cannot be supported using certificate-based systems, see [18,24]. 


1.5 Related Work 

Our work on CL-PKC owes much to the pioneering work of Boneh and Franklin 
[5,6] on identity-based public key encryption. In fact, our CL-PKE scheme is 
derived from the scheme of [5] by making a very simple modification (albeit, one 
with far-reaching consequences). Our security proofs require significant changes 
and new ideas to handle our new types of adversary. Likewise, our signature 
and other schemes [2] also arise by adapting existing ID-PKC schemes. Another 
alternative to traditional certificate-based PKI called self-certified keys was in- 
troduced by Girault [15] and further developed in [19,21]. The properties of the 
schemes presented in [15,19,21] are compared to CL-PKC in the full version [2]. 

Recent and independent work of Gentry [13] simplifies certificate manage- 
ment in traditional PKI systems in a very neat way by exploiting pairings. Gen- 
try’s scheme is presented in the context of a traditional PKI model, whereas our 
work departs from the traditional PKI and ID-PKC models to present a new 
paradigm for the use of public-key cryptography. Moreover, the concrete realiza- 
tions of the two models are different. However, it is possible to re-cast Gentry’s 
work to divorce it from the setting of a traditional PKI. Further discussion can 
be found in [2]. 

2 Background Definitions 

Throughout the paper, Gi denotes an additive group of prime order q and G2 
a multiplicative group of the same order. We let P denote a generator of Gi. 
For us, a pairing is a map e : Gi x Gi — > G2 with the following properties: (1) 
The map e is bilinear: given Q,W,Z £ Gi, we have e(Q, W + Z) = e(Q, W) ■ 
e(Q , Z) and e(Q + W, Z) = e(Q, Z) ■ e(W, Z). (2) The map e is non-degenerate: 
e(P,P) 7^ l{j 2 . (3) The map e is efficiently computable. 

Typically, the map e will be derived from either the Weil or Tate pairing on 
an elliptic curve over a finite field. We refer to [3,6,7,12] for a more comprehensive 
description of how these groups, pairings and other parameters should be selected 
in practice for efficiency and security. 
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We also introduce here the computational problems that will form the basis 
of security for our CL-PKC schemes. 

Bilinear DifRe-Hellman Problem (BDHP): Let Gi, G2, P and e be as 

above. The BDHP in (Gi,G 2 ,e) is as follows: Given (P,aP,bP,cP) with uni- 
formly random choices of a,b,cG Z*, compute e(P, P) abc g G2. An algorithm A 
has advantage e in solving the BDHP in (Gi,G2,e) if 
Pr [A((P, aP, bP, cP )) = e(P, P) abc \ = e. 

Here the probability is measured over the random choices of a,b,cG Z* and 
the random bits of A. 

Generalized Bilinear DifRe-Hellman Problem (GBDHP): Let Gi, G2, P 

and e be as above. The GBDHP in (Gi, G2, e) is as follows: Given (P, aP, bP, cP) 
with uniformly random choices of a,b,cG Z*, output a pair (Q G GJ, e(P, Q) ahc 
G G 2 ). An algorithm A has advantage e in solving the GBDHP in (Gi, G 2 , e) if 
Pr [A((P, aP, bP, cP )) = (Q, e(P, Q) abc )] = e. 

Here the probability is measured over the random choices of a,b,cG Z* and 
the random bits of A. 

Notice that the BDHP is a special case of the GBDHP in which the algorithm 
outputs the choice Q = P. While the GBDHP may appear to be in general 
easier to solve than the BDHP because the solver gets to choose Q, we know 
of no polynomial-time algorithm for solving either when the groups Gi,G 2 and 
pairing e are appropriately selected. If the solver knows s G Z* such that Q = sP, 
then the problems are of course equivalent. 

BDH Parameter Generator: As in [5], the formal output of this randomized 
algorithm is a triple (Gi,G 2 ,e) where Gi and G 2 are of prime order q and 
e : Gi x Gi — > G 2 is a pairing. 

Our security proofs will yield reductions to the BDHP or GBDHP in groups 
generated by a BDH parameter generator XQ. 

3 Certificateless Public Key Encryption 

In this section we present a formal definition for a certificateless public key 
encryption (CL-PKE) scheme. We also examine the capabilities which may be 
possessed by the adversaries against such a scheme and give a security model 
for CL-PKE. 

A CL-PKE scheme is specified by seven randomized algorithms. 

Setup: This algorithm takes security parameter k and returns the system pa- 
rameters params and master-key. The system parameters includes a description 
of the message space A4 and ciphertext space C. Usually, this algorithm is run 
by the KGC. We assume throughout that params are publicly and authentically 
available, but that only the KGC knows master-key. 

Partial-Private-Key-Extract: This algorithm takes params, master-key and 
an identifier for entity A, ID^ G {0, 1}*, as input. It returns a partial private key 
Da- Usually this algorithm is run by the KGC and its output is transported to 
entity A over a confidential and authentic channel. 
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Set-Secret-Value: This algorithm takes as inputs params and an entity A’s 
identifier ID4 as inputs and outputs A’s secret value xa- 

Set-Private-Key: This algorithm takes params, an entity A’s partial private 
key Da and A’s secret value x a as input. The value xa is used to transform Da 
into the (full) private key Sa • The algorithm returns Sa- 

Set-Public-Key: This algorithm takes params and entity A’s secret value xa 
as input and from these constructs the public key Pa for entity A. 

Normally both Set-Private-Key and Set-Public-Key are run by an entity 
A for itself, after running Set-Secret-Value. The same secret value Xa is used 
in each. Separating them makes it clear that there is no need for a temporal 
ordering on the generation of public and private keys in our CL-PKE scheme. 
Usually, A is the only entity in possession of Sa and xa, and x a will be chosen 
at random from a suitable and large set. 

Encrypt: This algorithm takes as inputs params, a message M £ A4, and the 
public key Pa and identifier ID4 of an entity A. It returns either a ciphertext 
C € C or the null symbol T indicating an encryption failure. This will always 
occur in the event that Pa does not have the correct form. In our scheme, this 
is the only way an encryption failure will occur. 

Decrypt: This algorithm takes as inputs params, C £ C, and a private key Sa- 
It returns a message M £ M or a message T indicating a decryption failure. 

Naturally, we insist that output M should result from applying algorithm 
Decrypt with inputs params, Sa on a ciphertext C generated by using algorithm 
Encrypt with inputs params, Pa, ID4 on message M. 

3.1 Security Model for CL-PKE 

Given this formal definition of a CL-PKE scheme, we are now in a position 
to define adversaries for such a scheme. The standard definition for security 
for a public key encryption scheme involves indistinguishability of encryptions 
against a fully-adaptive chosen ciphertext attacker (IND-CCA) [4,10,20]. In this 
definition, there are two parties, the adversary A and the challenger C. The 
adversary operates in three phases after being presented with a random public 
key. In Phase 1, A may make decryption queries on ciphertexts of its choice. In 
the Challenge Phase, A chooses two messages M 0 , M 1 and is given a challenge 
ciphertext C* for one of these two messages Mb by the challenger. In Phase 2, 
A may make further decryption queries, but may not ask for the decryption of 
C*. The attack ends with A’s guess b' for the bit b. The adversary’s advantage 
is defined to be Adv(A) = 2(Pr[i>' = b] — |). 

This model was strengthened for ID-PKC in [5] to handle adversaries who 
can extract the private keys of arbitrary entities and who choose the identity 
ID c h of the entity on whose public key they are challenged. This extension is 
appropriate because the compromise of some entities’ private keys should not 
affect the security of an uncompromised entity’s encryptions. 

Here, we extend the model of [5] to allow adversaries who can extract partial 
private keys, or private keys, or both, for identities of their choice. Given that 
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our scheme has no certificates, we must further strengthen the model to allow 
for adversaries who can replace the public key of any entity with a value of 
their choice. We must also consider carefully how a challenger should respond to 
key extraction and decryption queries for identities whose public keys have been 
changed. 

Here then is a list of the actions that a general adversary against a CL-PKE 
scheme may carry out and a discussion of each action. 

(1) Extract partial private key of A: C responds by running algorithm 
Partial-Private-Key-Extract to generate the partial private key Da for en- 
tity A. 

(2) Extract private key for A: As in [5], we allow our adversary A to make 
requests for entities’ private keys. If A’s public key has not been replaced then C 
can respond by running algorithm Set-Private-Key to generate the private key 
Sa for entity A (first running Set-Secret-Value for A if necessary). But it is 
unreasonable to expect C to be able to respond to such a query if A has already 
replaced A’s public key. Of course, we insist that A does not at any point extract 
the private key for the selected challenge identity ID c h. 

(3) Request public key of A: Naturally, we assume that public keys are 
available to A. On receiving a first request for A’s public key, C responds by 
running algorithm Set-Public-Key to generate the public key Pa for entity A 
(first running Set-Secret-Value for A if necessary). 

(4) Replace public key of A: A can repeatedly replace the public key Pa for 
any entity A with any value P' A of its choice. In our concrete CL-PKE schemes, 
our public keys will have a certain structure that is used to test the validity of 
public keys before any encryption. We assume here that the adversary’s choice 
P' A is a valid public key; this assumption can be removed (and our schemes 
remain secure) at the cost of some additional complexity in our definitions. Note 
that in our schemes, any entity can easily create public keys that are valid. 
The current value of an entity’s public key is used by C in any computations 
(for example, preparing a challenge ciphertext) or responses to A’s requests (for 
example, replying to a request for the public key). We insist that A cannot both 
replace the public key for the challenge identity ID ch before the challenge phase 
and extract the partial private key for ID c h in some phase - this would enable A 
to receive a challenge ciphertext under a public key for which it could compute 
the private key. 

(5) Decryption query for ciphertext C and entity A: If A has not re- 
placed the public key of entity A, then C responds by running the algorithm 
Set-Private-Key to obtain the private key Sa, then running Decrypt on ci- 
phertext C and private key Sa and returning the output to A. However, if A 
has already replaced the public key of A, then in following this approach, C 
would (in general) not decrypt using a private key matching the current public 
key. However, we insist that C properly decrypts ciphertexts even for entities 
whose public keys have been replaced (these decryptions will be handled using 
special purpose knowledge extractors in our security proofs). This results in a 
very powerful security model because decryption queries made under public keys 
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that have been changed are potentially far more useful to A. Naturally, as in [5] , 
we prohibit A from ever making a decryption query on the challenge ciphertext 
C* for the combination of identity ID ch and public key P c h that was used to 
encrypt M b . However A is, for example, allowed to replace the public key for 
ID c h with a new value and then request a decryption of C* , or to change another 
entity A’s public key to P c h (or any other value) and then request the decryption 
of C* for entity A. 

We also want to consider adversaries who are equipped with master-key, in 
order to model security against an eavesdropping KGC. As discussed in Section 
1, we do not allow such an adversary to replace public keys: in this respect, we 
invest in the KGC the same level of trust as we do in a CA in a traditional 
PKI. So we will distinguish between two adversary types, with slightly different 
capabilities: 

CL-PKE Type I Adversary: Such an adversary Ai does not have access 
to master-key. However, Ai may request public keys and replace public keys 
with values of its choice, extract partial private and private keys and make 
decryption queries, all for identities of its choice. As discussed above, we make 
several natural restrictions on such a Type I adversary: (1) Ai cannot extract 
the private key for ID ch at any point. (2) Ai cannot request the private key for 
any identity if the corresponding public key has already been replaced. (3) Ai 
cannot both replace the public key for the challenge identity ID ch before the 
challenge phase and extract the partial private key for ID c h in some phase. (4) 
In Phase 2, Ai cannot make a decryption query on the challenge ciphertext C* 
for the combination of identity ID c h and public key P c h that was used to encrypt 
M b . 

CL-PKE Type II Adversary: Such an adversary An does have access to 
master-key, but may not replace public keys of entities. Adversary An can 
compute partial private keys for itself, given master-key. It can also request 
public keys, make private key extraction queries and decryption queries, both 
for identities of its choice. The restrictions on this type of adversary are: (1) An 
cannot replace public keys at any point. (2) An cannot extract the private key 
for ID c h at any point. (3) In Phase 2, An cannot make a decryption query on 
the challenge ciphertext C* for the combination of identity ID ch and public key 
P c h that was used to encrypt M b . 

Chosen ciphertext security for CL-PKE: We say that a CL-PKE scheme 
is semantically secure against an adaptive chosen ciphertext attack ( “IND-CCA 
secure”) if no polynomially bounded adversary A of Type I or Type II has a 
non- negligible advantage against the challenger in the following game: 

Setup: The challenger takes a security parameter k and runs the Setup algo- 
rithm. It gives A the resulting system parameters params. If A is of Type I, then 
the challenger keeps master-key to itself, otherwise, it gives master-key to A. 
Phase 1: A issues a sequence of requests, each request being either a partial pri- 
vate key extraction, a private key extraction, a request for a public key, a replace 
public key command or a decryption query for a particular entity. These queries 
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may be asked adaptively, but are subject to the rules on adversary behaviour 
defined above. 

Challenge Phase: Once A decides that Phase 1 is over it outputs the chal- 
lenge identity ID c h and two equal length plaintexts Mo, Mi 6 M.. Again, the 
adversarial constraints given above apply. The challenger now picks a random 
bit b £ {0, 1} and computes C*, the encryption of Mb under the current public 
key P c h for ID ch . If the output of the encryption is T , then A has immediately 
lost the game (it has replaced a public key with one not having the correct form) . 
Otherwise, C* is delivered to A. 

Phase 2: A issues a second sequence of requests as in Phase 1, again subject to 
the rules on adversary behaviour above. 

Guess: Finally, A outputs a guess b' £ {0, 1}. The adversary wins the game if 
b = b'. We define A's advantage in this game to be Adv(A) := 2(Pr[6 = b'] — |). 

4 CL-PKE Schemes from Pairings 

In this section, we describe a pair of CL-PKE schemes. Our first scheme, 
BasicCL-PKE, is analogous to the scheme Basicldent of [5], and is included 
only to serve as a warm-up for our main scheme FullCL-PKE. The main scheme 
is in turn an analogue of the scheme Fullldent of [5] and is IND-CCA secure, 
assuming the hardness of the GBDHP. We prove this in Theorem 1. 

4.1 A Basic CL-PKE Scheme 

We describe the seven algorithms needed to define BasicCL-PKE. We let k be 
a security parameter given to the Setup algorithm and IQ a BDH parameter 
generator with input k. 

Setup: This algorithm runs as follows: 

(1) Run IQ on input k to generate output (Gi , G2, e) where Gi and (5-2 are 
groups of some prime order q and e : Gi x Gi — » G2 is a pairing. 

(2) Choose an arbitrary generator P £ Gi- 

(3) Select a master-key s uniformly at random from Z* and set Pq = sP. 

(4) Choose cryptographic hash functions H\ : {0, 1}* — > G* and H 2 : G2 — >• 
{0, 1}". Here n will be the bit-length of plaintexts. 

The system parameters are params= (Gi , G2 , e, n, P, Pq , H\ . H 2 ). The 
master-key is s £ Z*. The message space is M. = (0, l} n and the ciphertext 
space is C = Gi x {0, 1}". 

Partial-Private-Key-Extract: This algorithm takes as input an identifier 
ID4 £ {0, 1}*, and carries out the following steps to construct the partial private 
key for entity A with identifier ID 4: 

(1) Compute Qa = Hi(IDa) € G*. 

(2) Output the partial private key D A = sQ a € G* . 

The reader will notice that the partial private key of entity A here is identical 
to that entity’s private key in the schemes of [5] . Also notice that A can verify the 
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correctness of the Partial-Private-Key-Extract algorithm output by checking 

e(D A ,P) = e(Q A ,P 0 ). 

Set-Secret-Value: This algorithm takes as inputs params and an entity A’s 
identifier ID4 as inputs. It selects x A £ Z* at random and outputs x A as A’s 
secret value. 

Set-Private-Key: This algorithm takes as inputs params, an entity A’s partial 
private key D A and A’s secret value x A g 2*. It transforms partial private key 
D a to private key S A by computing S A = x A D A = x A sQ A £ G*. 
Set-Public-Key: This algorithm takes params and entity A’s secret value x A £ 
Z* as inputs and constructs A’s public key as P A = (X A , Y A ), where X A = x A P 
and Y a = x a Pq = x A sP. 

Encrypt: To encrypt M £ M. for entity A with identifier ID4 £ {0, 1}* and 
public key P A = (X A ,Y A ), perform the following steps: 

(1) Check that X A ,Y A £ G* and that the equality e(X A ,P 0 ) = e(Y A ,P) holds. 
If not, output T and abort encryption. 

(2) Compute Q A = £ G*. 

(3) Choose a random value r £ Z* q . 

(4) Compute and output the ciphertext: C = ( rP , M ® iJ 2 (e(QA, Y A ) r )). 

Notice that this encryption operation is identical to the encryption algorithm 

in the scheme Basicldent of [5], except for the check on the structure of the 
public key in step 1 and the use of Y A in place of P 0 = P pu b in step 4. 

Decrypt: Suppose C = (U, V) £ C. To decrypt this ciphertext using the private 
key S A , compute and output: V © H‘ 2 (e(S A , [/)). 

Notice that if ( U = rP, V) is the encryption of M for entity A with public 
key P A = (X A ,Y A ), the decryption is the inverse of encryption. 

Again, the similarity to the decryption operation of Basicldent should be 
apparent. 

We have presented this scheme to help the reader understand our FullCL-PKE 
scheme, and so we do not analyse its security in detail. 

4.2 A Full CL-PKE Scheme 

Now that we have described our basic CL-PKE scheme, we add chosen cipher- 
text security to it, adapting the Fujisaki-Okamoto padding technique [11]. The 
algorithms for FullCL-PKE are as follows: 

Setup: Identical to Setup for BasicCL-PKE, except that we choose two additional 
cryptographic hash functions H 3 : {0, 1}" x {0, 1}" -» Z* and H 4 : {0, l} n — » 
{0,1}”. 

The system parameters are params= (G-i , G 2 , e, n, P, Pq, H\ . H- 2 - H 3 , H 4 ). 
The master-key and message space M. are the same as in BasicCL-PKE. The 
ciphertext space is now C = Gi x {0, l} 2 ". 

Partial-Private-Key-Extract, Set-Secret-Value, Set-Private-Key, 
and Set -Public-Key: Identical to BasicCL-PKE. 
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Encrypt: To encrypt M G M for entity A with identifier ID 4 g {0, 1}* and 
public key P A = (X&,Ya), perform the following steps: 

(1) Check that X A ,Y A € G* and that the equality e(X A . P 0 ) = e(Y A ,P) holds. 
If not, output _L and abort encryption. 

(2) Compute Q A = ffi(ID) g G*. 

(3) Choose a random a £ {0, 1}”. 

(4) Set r = H 3 (a,M). 

(5) Compute and output: C = (rP, a © H 2 (e(Q A , Y A ) r ),M © ff 4 (cr)). 

Decrypt: Suppose the ciphertext C = (U, V , W) g C. To decrypt this ciphertext 
using the private key S A : 

(1) Compute V © H 2 (e(S A , U)) = o'. 

(2) Compute W © H 4 (o') = M' . 

(3) Set r' = Hi ( o' . M') and test if U = r'P. If not, output _L and reject C. 

(4) Output M' as the decryption of C. 

When C is a valid encryption of M using P A and ID 4 , it is easy to see 
that decrypting C will result in an output M' = M. We note that W can be 
replaced by W = where E denotes a semantically secure symmetric 

key encryption scheme as in [ 11 ] (though our security proofs will require some 
modifications to handle this case) . This concludes the description of FullCL-PKE. 


4.3 Security of the Scheme FullCL-PKE 

We have the following theorem about the security of FullCL-PKE. 

Theorem 1 . Let hash functions Hi, H 2 , f /3 and. H 4 be random oracles. Suppose 
further that there is no polynomially bounded algorithm that can solve the GB- 
DHP in groups generated by IQ with non-negligible advantage. Then FullCL-PKE 
is IND-CCA secure. 

This theorem follows from a sequence of lemmas that are proved in the appen- 
dices. It can be made into a concrete security reduction relating the advantage 
e of a Type I or Type II attacker against FullCL-PKE to that of an algorithm to 
solve GBDHP or BDHP. 

5 Further CL-PKC Schemes 

In this section, we sketch another CL-PKC primitives: a signature scheme based 
on the identity-based scheme of [17]. We begin by outlining an alternative key 
generation technique which enhances the resilience of our schemes against a 
cheating KGC and allows for non-repudation of certificateless signatures. 

5.1 An Alternative Key Generation Technique 

Up to this point, we have assumed that the KGC is trusted to not replace the 
public keys of users and to only issue one copy of each partial private key, to the 
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correct recipient. This may involve an unacceptable level of trust in the KGC for 
some users. Our current set up also allows users to create more than one public 
key for the same partial private key. This can be desirable in some applications, 
but undesirable in others. 

Here we sketch a simple binding technique which ensures that users can only 
create one public key for which they know the corresponding private key. In 
our technique, an entity A must first fix its secret value x a and its public key 
Pa = (Xa, Ya). We then re-define Qa to be Qa = Hi(IT>a\\Pa) ~ now Qa binds 
T’s identifier and public key. The partial private key delivered to entity A is still 
Da = sQa and the private key created by A is still xsQa ■ However, these are 
also now bound to A’s choice of public key. This binding effectively restricts A 
to using a single public key, since A can now only compute one private key from 
Da- 

This technique has a very important additional benefit: it reduces the degree 
of trust that users need to have in the KGC in our certificateless schemes. In 
short, the technique raises our schemes to trust level 3 in the trust hierarchy of 
[15], the same level as is enjoyed in a traditional PKI. Now, with our binding 
technique in place, a KGC who replaces an entity’s public key will be implicated 
in the event of a dispute: the existence of two working public keys for an identity 
can only result from the existence of two partial private keys binding that identity 
to two different public keys; only the KGC could have created these two partial 
private keys. Thus our binding technique makes the KGC’s replacement of a 
public key apparent and equivalent to a CA forging a certificate in a traditional 
PKI. 

Theorem 1 still applies for our CL-PKE scheme with this binding in place 
because of the way in which Hi is modelled as a random oracle. Notice too that 
with this binding in place, there is no longer any need to keep partial private keys 
secret: informally, knowledge of the key Da = sQa does not help an adversary to 
create the unique private key Sa = xsQa that matches the particular public key 
Pa that is bound to Da- When applied to the certificateless signature primitive 
in this section, the binding technique ensures a stronger form of non-repudiation: 
without the binding, an entity could always attempt to repudiate a signature by 
producing a second working public key and claiming that the KGC had created 
the signature using the first public key. 

Even with this binding in place, the security analysis of our original encryp- 
tion scheme (in which an adversary can replace public keys) is still important: it 
models the scenario where an adversary temporarily replaces the public key Pa 
of an entity A with a new value P' A in an attempt to obtain a ciphertext which 
he can distinguish, and then resets the public key. In this case, our proof shows 
that the adversary does not gain any advantage in a distinguishing game unless 
he has access to the matching partial private key D' A = sHi(1D a \\P' A ). In turn, 
this partial private key should not be made available by the KGC. Of course, 
nothing can prevent a KGC from mounting an attack of this type, but the same 
applies for the CA in a traditional PKI. 
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5.2 A Certificateless Signature Scheme 

We will describe a certificateless public-key signature (CL-PKS) scheme that is 
based on a provably secure ID-PKC signature scheme of [17]. 

In general, a CL-PKS scheme can be specified by seven algorithms: Setup, 
Partial-Private-Key-Extract, Set-Secret-Value, Set-Private-Key, 
Set-Public-Key, Sign and Verify. These are similar to the algorithms used to 
define a CL-PKE scheme: Setup and params are modified to include a description 
of the signature space S, Partial-Private-Key-Extract, 

Set-Secret-Value, Set-Private-Key and Set-Public-Key are just as before 
and Sign and Verify are as follows: 

Sign: This algorithm takes as inputs params, a message M £ M. to be signed 
and a private key Sa- It outputs a signature Sig £ S. 

Verify: This algorithm takes as inputs params, a message M € Ai, the identifier 
IDa and public key Pa of an entity A, and Sig £ S as the signature to be verified. 
It outputs valid, invalid or T . 

Given this general description, we now outline a CL-PKS scheme: 

Setup: This is identical to Setup for our scheme BasicCL-PKE, except that 
now there is only one hash function H : {0, 1}* x G 2 — > Z* and params is 
(Gi, G 2 , n, e, P, P 0 , H). The signature space is defined as <S = Gi x Z*. 
Partial-Private-Key-Extract, Set-Secret-Value, Set-Private-Key and 
Set-Public-Key: Identical to BasicCL-PKE. 

Sign: To sign M £ M using the private key S A , perform the following steps: (1) 
Choose random a £ Z*. (2) Compute r = e(P, P) a £ G 2 . (3) Set v = H(M, r) £ 
Z*. (4) Compute U = vSa + aP £ Gi. (5) Output as the signature (U,v). 
Verify: To verify a purported signature {U, v) on a message M £ M. for identity 
IDa and public key (Xa,Ya): (1) Check that the equality e(X^,P 0 ) = c(Ya,P) 
holds. If not, output T and abort verification. (2) Compute r = e(U, P) ■ 
c(Qa- —Ya) v . (3) Check if v = H(M, r) holds. If it does, output valid, oth- 
erwise output invalid. 

5.3 Other Schemes 

The hierarchical encryption and signature schemes of [14] and the key agreement 
scheme of [23] can be adapted to our certificateless setting. These adaptations 
are presented in the full paper [2]. 

6 Conclusions 

In this paper we introduced the concept of certificateless public key cryptography , 
a model for the use of public key cryptography that is intermediate between 
the identity-based approach and traditional PKI. We showed how our concept 
can be realized by specifying a certificateless public key encryption (CL-PKE) 
scheme that is based on bilinear maps. We showed that our CL-PKE scheme is 
secure in an appropriate model, assuming that the Generalized Bilinear Diffie- 
Hellman Problem (GBDHP) is hard. We also rounded out our treatment by 
briefly presenting a certificateless signature scheme. 
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Appendix A: Proofs of Security for FullCL-PKE 

A.l Two Public Key Encryption Schemes 

We define a public key encryption scheme HybridPub. It will be used as a tool 
in our security proof for FullCL-PKE. 

HybridPub: This scheme is specified by three algorithms: Key-Generation, 
Encrypt and Decrypt. 

Key-Generation: (1) Run IQ to generate (Gi , G 2 , e) with the usual proper- 
ties. Choose a generator P £ G\. (2) Pick a random Q £ G*, a random 
s £ Z* and a random x £ Z*. (3) Set Po = sP, X = xP, Y = xsP and 
S = xsQ. (4) Choose the cryptographic hash functions H 2 : G 2 — > (0, l} n , 
H 3 : {0,1}" x {0,1}" — » Z* and H4 : {0,1}" — > {0,1}". The public key is 
{G\,G 2 ,e,n,P,Po,X,Y,Q,H 2 ,H 3 ,Hi). The private key is S = xsQ, the mes- 
sage space is M = {0, 1}" and the ciphertext space is C = Gi x {0, l} 2 ". 
Encrypt: To encrypt M £ Af, perform the following steps: (1) Check that the 
equality e(X, Po) = e(Y. P) holds. If not, output ± and abort encryption. (2) 
Choose a random a £ {0,1}". (3) Set r = H 3 (<j,M). (4) Compute and output 
the ciphertext: C = (rP, a ® H 2 {e{Q, Y) r ),M ® P 4 (cr)). 

Decrypt: To decrypt C = ( U , V, W) £ C using private key S, do the following: 
(1) Compute V ® H 2 (e(S,U)) = a'. (2) Compute W ® = M'. (3) Set 

r' = H 3 (a', M') and test if U = r'P. If not, output T and reject the ciphertext. 
(4) Output M' as the decryption of C. 

A second scheme BasicPub is defined in [2]; it is a simplified version of 
HybridPub in which the encryption of message M equals ( rP, M®H 2 (e(Q , Y) r )). 
The full paper [2] also defines Type I and II IND-CCA, IND-CPA and OWE ad- 
versaries for BasicPub and HybridPub: these are similar to the usual definitions, 
except that a Type I adversary is allowed to replace the public key, while a Type 
II adversary has the value s. 
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A. 2: Statements of Lemmas 

We present a series of lemmas. Theorem 1 for Type I adversaries follows by 
combining Lemmas 2, 3, 4, 5 and 8. Similarly, Theorem 1 for Type II adversaries 
follows by combining Lemmas 6, 7 and 8. 

Lemma 2. Suppose that H\, H 2 , H 3 and H 4 are random oracles and that there 
exists an IND-CCA Type I adversary Ai against FullCL-PKE. Suppose Ai has 
advantage e, runs in time t, makes qi queries to Hi (1 < i < A) and makes qa 
decryption queries. Then there is an algorithm B which acts as either a Type 
I or a Type II IND-CPA adversary against HybridPub. Moreover, B either has 
advantage at least e\ qd /4qi when playing as a Type I adversary, or has advantage 
at least eA 9rf /4<7i when playing as a Type II adversary. B runs in time t + 0((q 3 + 
q 4 )q d t'). Here t' is the running time of the BasicCL-PKE encryption algorithm 
and 


1 - A < (q 3 + q 4 ) ■ e 0WB (t + 0((q 3 + q 4 )q<^ , 92 ) 

. #e GBD/fP (t + 0((q 3 + qi)qdt') + 3q 1 + 2 n+1 , 

where e OWE (T, q ') denotes the highest advantage of any Type I or Type II OWE 
adversary against BasicPub which operates in time T and makes q' hash queries 
to H 2 , and e GBDHP (T ) denotes the highest advantage of any time T algorithm to 
solve GBDHP in groups of order q generated hy IQ. 


Lemma 3. Suppose that H :i and H 4 are random oracles. Let Ai be a Type I 
IND-CPA adversary against HybridPub which has advantage e and makes q 4 
queries to H 4 . Then there exists a Type I OWE adversary A'j against BasicPub 
which runs in time 0(time(Ai)) and has advantage at least e/2(q 3 + q 4 ). 


Lemma 4. Suppose that H :i and H 4 are random oracles. Let Ai be a Type 
II IND-CPA adversary against HybridPub which has advantage e and makes q 4 
queries to H 4 . Then there exists a Type II OWE adversary A'j against BasicPub 
which runs in time 0(time(An)) and has advantage at least e/2(q 3 + q 4 ). 


Lemma 5. Suppose that H 2 is a random oracle. Suppose there exists a Type I 
OWE adversary Ai against BasicPub which makes at most q 2 queries to H 2 and 
which has advantage e. Then there exists an algorithm B to solve the GBDHP 
which runs in time 0(time(Ai)) and has advantage at least (e — ^ )/q 2 ■ 

Lemma 6. Suppose that H 4 is a random oracle and that there exists an IND- 
CCA Type II adversary An on FullCL-PKE with advantage e which makes 
at most qi queries to H 4 . Then there is an IND-CCA Type II adversary on 
HybridPub with advantage at least e/q 4 which runs in time 0(time(An)) . 
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Lemma 7. Suppose that H 3 and H 4 are random oracles. Let An be a Type 
II IND-CCA adversary against HybridPub which has advantage e, makes qa 
decryption queries, <73 queries to H3 and q 4 queries to H4. Then there exists a 
Type II OWE adversary A' n against BasicPub with 

time(A'jj) = time(Au) + 0(n(q 3 + q 4 )) 

Adv(A' II ) > 55^ ((e + 1)(1 - q- 1 - - l) . 

Lemma 8. Suppose that H 2 is a random oracle. Suppose there exists a Type II 
OWE adversary An against BasicPub which makes at most <72 queries to H 2 
and which has advantage e. Then there exists an algorithm B to solve the BDHP 
which runs in time 0(time(An)) and has advantage at least (e — ^W)/<72- 


A. 3: Proofs of Lemmas 

Proof of Lemma 2: Let Ai be a Type I IND-CCA adversary against 
FullCL-PKE. Suppose Ai has advantage e, runs in time t, makes q, queries to 
random oracle Hi (1 < i < 4) and makes q,j decryption queries. We show how to 
construct from Ai an adversary B that acts either as a Type I IND-CCA adver- 
sary against HybridPub or as a Type II IND-CCA adversary against HybridPub. 
We assume that challengers C/,C// for both types of game are available to B. 

Adversary B begins by choosing a random bit c and an index I uniformly 
at random with 1 < 7 < <71. Ifc=0, then B chooses to play against Cj and 
aborts C//. Here, B will build a Type I IND-CPA adversary against HybridPub 
and fails against Cjj. When c= 1, B chooses to play against C n and aborts C/. 
Here, B will build a Type II IND-CPA adversary against HybridPub and fails 
against C/. In either case, C will denote the challenger against which B plays 
for the remainder of this proof. We let H denote the event that Ai chooses ID/ 
as the challenge identity ID ch . We let To denote the event that Ai extracts the 
partial private key for entity ID/ and T\ denote the event that Ai replaces the 
public key of entity ID/ at some point in its attack. 

If c = 0, then C is a Type I challenger for HybridPub and begins by sup- 
plying B with a public key K pub = (G/ , G2, e, n, P, Pq, X, Y. Q, H 2 , H :i , 77 4 ). 
If c = 1, then C is a Type II challenger and so supplies B with a public 
key K pub together with the value s such that P 0 = sP. Then B simulates 
the algorithm Setup of FullCL-PKE for Ai by supplying Ai with params= 
(Gi, G2, e, n, P, Po, Hi, H 2 , H$, H 4 ). Here Hi is a random oracle that will be 
controlled by B. Adversary Ai may make queries of the random oracles Hi, 
1 < i < 4, at any time during its attack. These are handled as follows: 

H\ queries: B maintains a list of tuples (ID,, Q , , bi, x t , X/, Y,) which we call the 
Hi list. The list is initially empty, and when Ai queries 77, on input ID G {0, 1}*, 
B responds as follows: 

(1) If ID already appears on the Hi list in a tuple ( ID, , Q, , 6, , a:, : , X, : ,Y t ), then B 
responds with Hi (ID) = Q, G G*. 



470 


Sattam S. Al-Riyami and Kenneth G. Paterson 


(2) If ID does not already appear on the list and ID is the J-th distinct Hi query 
made by Ai, then 8 picks 6/ at random from Z*, outputs //(ID) = biQ and 
adds the entry (ID, 6 /Q, &/, _L ,X,Y) to the Hi list. 

(3) Otherwise, when ID does not already appear on the list and ID is the i-th 
distinct Hi query made by Ai where i ^ I, 8 picks b, and x, at random from 
Z*, outputs //(ID) = biP and adds (ID, biP, bi, Xi, XiP, XiPo) to the Hi list. 

Notice that with this specification of Hi, the FullCL-PKE partial private key 
for ID t (i ^ I) is equal to 6 ,P 0 while the public key for ID, is (aqP, aqP 0 ) and 
the private key for ID* is x,&,Po. These can all be computed by 8 when c = 0. 
Additionally, when c = 1 (so 8 has s), 8 can compute sbiQ, the partial private 
key of ID/. 

H ‘2 queries: Any f / 2 queries made by Aj are passed to C to answer. We do need 
to assume in the course of the proof that i / 2 is a random oracle. 
i /3 and i /4 queries: Adversary 8 passes AA s i /3 and i /4 queries to C to answer, 
but keeps lists (aj, Mj, H^j) and (cr', Hi,) of AA s distinct queries and C s replies 
to them. 

Phase 1 : After receiving params from 8, Ai launches Phase 1 of its attack, by 
making a series of requests, each of which is either a partial private key extraction 
for an entity, a private key extraction for an entity, a request for a public key 
for an entity, a replacement of a public key for an entity or a decryption query 
for an entity. We assume that Ai always makes the appropriate Hi query on 
the identity ID for that entity before making one of these requests. 8 replies to 
these requests as follows: 

Partial Private Key Extraction: Suppose the request is on ID,. There are 
three cases: (1) If i / /, then 8 replies with &iP 0 . (2) If i = I and c = 0, then 8 
aborts. (3) If i = / and c = 1, then 8 replies with sbiQ. 

Private Key Extraction: Suppose the request is on ID,. We can assume that 
the public key for ID* has not been replaced. There are two cases: (1) If i ^ /, 
then 8 outputs a:, 6 jPo. (2) If i = /, then 8 aborts. 

Request for Public Key: If the request is on ID/ then 8 returns (X t , Y. t ) by 
accessing the Hi list. 

Replace Public Key: Suppose the request is to replace the public key for ID* 
with value (X), Y-). (We know that this will be a valid public key, i.e. a key 
satisfying e(X' i ,P 0 ) = e(Y?,P)). There are two cases: (1) If i = / and c = 1, 
then 8 aborts. (2) Otherwise, 8 replaces the current entries X , , Y, in the Hi list 
with the new entries X', Y-. If i = /, then 8 makes a request to its challenger C 
to replace the public key components (X, Y) in K pu f, with new values ( X),Y) ). 
Decryption Queries: Suppose the request is to decrypt ciphertext (U, V, W) 
for ID/, where (as discussed in Section 3), the private key that should be used 
is the one corresponding to the current value of the public key for ID,. Notice 
that even when 1=1,8 cannot make use of C to answer the query, because 8 is 
meant to be an IND-CPA adversary. Instead 8 makes use of an algorithm K£. 
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Algorithm ICS: The input to the algorithm is a ciphertext C = (U,V,W), an 
identity ID/ and the current value of the public key (X/, Y/). We assume that 
ICS also has access to the H :i and H 4 lists. ICS operates as follows: 

(1) Find all triples ( ) on the H :i list such that 

(U,V) = BasicCL-PKE-Encrypt Wey{XeXt) (crj]H 3 tj ). 

Here, BasicCL-PKE-Encrypt IDA ^x a ,y a ) (Af; r) denotes the BasicCL-PKE encryp- 
tion of message M for TDa using public key (X4 , Ya) and random value r. Collect 
all these triples in a list S\. If S\ is empty, output T and halt. 

(2) For each triple ( ) in Si, find all pairs (cr', H 4i ) in the H 4 list 
with (jj = a\. For each such match, place (aj, Mj, H 3 j, H 4 i ) on a list S 2 . If S 2 
is empty, then output T and halt. 

(3) Check in S 2 for an entry such that W = Mj CD H 4 .,. If such an entry exists, 

then output Mj as the decryption of (U, V, W). Otherwise, output T . , 

We prove that ICS correctly decrypts with high probability in Lemma 9. 
Challenge Phase: At some point, Ai should decide to end Phase 1 and pick 
ID c h and two messages mo, mi on which it wishes to be challenged. We can 
assume that ID c h has already been queried of H 4 but that Ai has not extracted 
the private key for this identity. Algorithm B responds as follows. If ID c h 7^ ID/ 
then B aborts. Otherwise ID c h = ID/ and B gives C the pair mo, mi as the 
messages on which it wishes to be challenged. C responds with the challenge 
ciphertext C' = (U\ V'. IT'), such that C is the HybridPub encryption of rn b 
under K pub for a random b e {0,1}. Then B sets C* = {bJ 1 U l ,V’ ,W’) and 
delivers C* to A/. It is easy to see that C* is the FullCL-PKE encryption of 
m b for identity ID/ under public key (X/, Y/). We let (X c h,F c h) denote the 
particular value of the public key for identity ID c h during the challenge phase 
{Ai may change this key in Phase 2 of its attack). 

Phase 2: B continues to respond to A/’s requests as in Phase 1. 

Guess: Eventually, A/ should make a guess b' for b. Then B outputs b' as its 
guess for b. If A/ has used more than time t, or attempts to make more than q, 
queries to random oracle Hi or more than q,i decryption queries, then B should 
abort A/ and output a random guess for bit b (in this case algorithm ICS has 
failed to perform correctly at some point). 

Analysis: We claim that if algorithm B does not abort during the simulation 
and if all of B’s uses of the algorithm ICS result in correct decryptions, then 
algorithm A/’s view is identical to its view in the real attack. Moreover, if this is 
the case, then 2(Pr[6 = b'] — \ ) > e. This is not hard to see: B’s responses to all 
hash queries are uniformly and independently distributed as in the real attack. 
All responses to A/’s requests are valid, provided of course that B does not abort 
and that ICS performs correctly. Furthermore, the challenge ciphertext C* is a 
valid FullCL-PKE encryption of rn b under the current public key for identity 
ID c h, where b € (0, 1} is random. Thus, by definition of algorithm A/ we have 
that 2(Pr[6 = b '] — |) > e. 
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So we must examine the probability that B does not abort during the simula- 
tion given that the algorithm ICS performs correctly. Examining the simulation, 
we see that B can abort for one of four reasons: 

(0) Because c = 0 and the event To occurred during the simulation. 

(1) Because c = 1 and event T\ occurred during the simulation. 

(2) Because Aj made a private key extraction on ID/ at some point. 

(3) Or because Ai chose ID c h ^ ID/. 

We name the event (c = i) A T t as H, for i = 0.1. We also name the last two 
events here as T 2 and T 3 . Of course, T 3 is the same as event ->H. Now Aj 
makes qi queries of Hi and chooses ID c h from amongst the responses ID.,, while 
B’s choice of I is made uniformly at random from the set of q-\ indices i. So the 
probability that ID ch = ID/ is equal to 1/qi- Hence Pr [H] = 1/qi- Notice too 
that the event ->T 3 implies the event T 2 (if Aj chooses ID c h = ID/, then no 
private key extraction on ID/ is allowed). Gathering this information together: 

Pr [B does not abort] = Pr[->Ho A ->Ui A A -vF 3 ] = — ■ Pr[-.«o A ~^Hi\H\. 

9i 

Notice now that the events Ho and Hi are mutually exclusive (because one 
involves c = 0 and the other c = 1). Therefore we have 

Prb«o A = 1 - Pr[H 0 \H] - Pr[Wi|W]. 

Moreover, Pr[Hi\H] = Pr[(c = i) A Ti\H\ = \ Pr[Ti\H\, where the last equality 
follows because the event T\H is independent of the event c=i. So we have 

Pr [B does not abort] = — ( 1 — ^ Pv[To\H\ — ^ Pv[Ti\H ] ) . 

qi \ 2 2 / 

Finally, we have that Pr[.Fo A T\\H] = 0 because of the rules on adversary 
behaviour described in Section 3 (an adversary cannot both extract the partial 
private key and change the public key of the challenge identity). This implies 
that Pr^ol H) + Pr[T"-, \H] < 1. Hence we see that Pr[£> does not abort] > 1 /2cyi . 

Now we examine the probability that algorithm 1C£ correctly handles all of 
A£s q,j decryption queries. We will show in Lemma 9 below that the probability 
that ICS correctly replies to individual decryption queries is at least A, where A 
is bounded as in the statement of this lemma. 

It is now easy to see that B’s advantage is at least ^ A 9d . It follows that 
either B’s advantage as a Type I adversary against HybridPub or B’s advantage 
as a Type II adversary against HybridPub is at least \ gd . The running time 
of B is time(^4/) + q f j ■ tim e(IC£) = t + 0((qz + q<i)qdt') where t' is the running 
time of the BasicCL-PKE encryption algorithm. This completes the proof. 

Lemma 9. In the simulation in the proof of Lemma 2, Algorithm ICS correctly 
replies to individual decryption queries with probability at least A where 
1 - A < {q 3 + q 4 ) ■ e OWE (t + 0((q 3 + q 4 )qdt', qi) 

+e G B D Hp(t + 0((q 3 + q 4 ,)qdt') + 3q 1 + 2 " +1 . 

Here t is the running time of adversary Ai, t' is the running time of the 
BasicCL-PKE encryption algorithm, e OWE (T , q') denotes the highest advantage of 
any Type I or Type II OWE adversary against BasicPub which operates in time 
T and makes q ' hash queries to H 2 , and e GBDHP (T) denotes the highest advantage 
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of any algorithm to solve GBDHP in time T in groups of order q generated by 
IQ. 

Proof of Lemma 9: The proof, which is given in [2], is closely modelled on the 
proof of [11, Lemma 11], but differs in several key respects: we need to build an 
algorithm which handles multiple public keys, and the algorithm can be asked 
to decrypt the challenge ciphertext (but under a different identity /public key 
combination from the challenge identity). This substantially complicates the 
analysis. 

Proof of Lemma 3: This proof is modelled on the proof of [11, Lemma 10], 
modified to handle Ai’s ability to replace public keys. See [2] for details. 

Proof of Lemma 4: The proof technique is similar to that used in Lemma 3. 
Proof of Lemma 5: This proof is similar to that of [5, Theorem 4.1], with 
modifications to handle adversaries who can replace public keys. 

Proof of Lemma 6: The proof is in the full version [2]; it uses ideas from both 
the c = 1 case of the proof of Lemma 2, and the proof of [5, Lemma 4.6 ]. 
Proof of Lemma 7: This is easily proven using [11, Theorem 14], noting that 
s can be made available to Type II adversaries simply by including it in public 
keys. We also use the fact that HybridPub is 1/g-uniform in the sense of [11]. 
Proof of Lemma 8: The proof in [2] uses similar techniques to the proof of 
Lemma 5 with a twist to handle the Type II adversary’s knowledge of s. 
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Abstract. In this paper, we introduce a conceptually very simple and 
demonstrative algorithm for finding small solutions (a :,y) of ax + y = 
c mod N, where gcd (a,N) = 1. Our new algorithm is a variant of the 
Euclidian algorithm. Unlike former methods, it finds a small solution 
whenever such a solution exists. Further it runs in time 0((log IV) 3 ), 
which is the same as the best known previous techniques, e.g. lattice- 
based solutions. 

We then apply our algorithm to RSA-OAEP and RSA-Paillier to ob- 
tain better security proofs. We believe that there will be many future 
applications of this algorithm in cryptography. 

Keywords: Provable security, Euclidean algorithm, Lattice reduction, 
RSA cryptosystem. 


1 Introduction 

Lattice reduction algorithms have been successfully applied to many cases of 
modern cryptography. Especially, this methods allow us to find a small solution 
(a;, y) of the linear modular congruence 

ax + y = c mod N, (1) 

where the integers a and N are coprime, i.e. gcd (a, N) = 1. This technique was 
used to prove the security of RSA-OAEP and RSA-Paillier. 

By using the above mentioned technique, Fujisaki et al. showed that RSA- 
OAEP is semantically secure against adaptive chosen ciphertext attacks (IND- 
CCA2) under the RSA assumption in the random oracle model [FOPSOl] after 
important works of [BR95,Sho02]. In the random oracle model, the OAEP con- 
version is a technique to design a secure encryption scheme from any trapdoor 
one-way permutation [BR95]. We write /-OAEP if / is the underlying trapdoor 
function. Today’s most famous cryptosystem, RSA-OAEP, is a result of this 
work. 

C.S. Laih (Ed.): ASIACRYPT 2003, LNCS 2894, pp. 474-491, 2003. 

© International Association for Cryptologic Research 2003 
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In the standard model, on the other hand, it is known that RSA-Paillier 
encryption scheme is semantically secure against chosen plaintext attacks (IND- 
CPA). After the work of [ST02], Catalano et al. proved that the one-wayness 
of RSA-Paillier is equivalent to that of RSA [CGHGN01] by using the above 
technique with c = 0. 

Now it is an important aim in cryptography to improve security reduction 
proofs, because the proposed size of the security parameters of a cryptosystem 
is directly influenced by the reduction costs. 

In this paper, we introduce a conceptually much simpler and demonstrative 
algorithm for finding small solutions (x,y) of eq.(l). Our new algorithm is a 
variant of the Euclidian algorithm. Unlike the lattice-based method, it exploits 
that the sought-after small solution is non-negative. Further, it runs in time 
0((log N) 3 ), which is the same as the lattice-based method. 

We then apply our algorithm to the security proof of RSA-OAEP to enhance 
the advantage of the reduction algorithm. The proof of RSA-OAEP is divided 
into two parts [FOPSOl]. The first part was to prove the semantic security of 
the general OAEP conversion scheme under the so-called partial-domain one- 
wayness of the underlying trapdoor permutation. The second part was to exploit 
the homomorphic properties of RSA function in order to show the equivalence 
of partial-domain one-wayness and full-domain one-wayness in the RSA case. 

However, the second part does not work for all values of a of eq.(l). More 
precisely, it works if the lattice L a , N = { {u, v) e Z' 2 \au = v mod N} contains no 
non-zero vector of length at most 2 ko+2 , where ko is the maximal bit-length of 
the sought-after small solution. Since there are approximately n2 2ko+4 < 2 2fco+6 
lattices containing a non-zero vector shorter than 2 fc °+ 2 , the number of bad 
values for a is bounded above by 2 2fe,J+6 . Obviously, this result is not optimal, 
especially if the bound ko is close to half of the bit-length of N. One reason 
for the non-optimal performance of the lattice-based method is that it does not 
exploit all the information given about the sought-after solution. Namely, it 
takes no advantage of the fact that the solution is non-negative, not only small 
in absolute value. 

For this problem, we are able to upper-bound the number of bad values for 
a by 2 2fco+1 instead of 2 2feo+6 . 

Finally for RSA-Paillier, we use our new algorithm to construct an alterna- 
tive reduction proof, extending the important work of Catalano et al. [CNS02]. 
Based on the analysis of our algorithm, we give the exact security analysis while 
Catalano et al. gave only asymptotic results. 

But we want to point out that the major aim of this paper is not the ad- 
vancement of the reduction proofs of RSA-OAEP and RSA-Paillier, respectively. 
Indeed, the achieved improvements are not dramatic ones. In fact, the main 
objective of this paper is the introduction of a new algorithm for solving two- 
variable linear congruence with small solutions. We believe that there will be 
many future applications of this algorithm in cryptography. To confirm this as- 
sumption, we revisit the security proofs of RSA-OAEP and RSA-Paillier as two 
applications. 



476 


Kaoru Kurosawa, Katja Schmidt-Samoa, and Tsuyoshi Takagi 


(Related works:) Note that this task is not a new one in cryptography. In 1985, 
De Jonge and Chaum developed an attack against some kinds of RSA signature 
schemes [JC86], which was enlarged in 1997 by Girault and Misarsky [GM97], 
[KatOl]. These attacks utilize an affine variant of the Euclidian algorithm for 
solving two-variable linear modular equations with small solutions. But it has 
to be stressed, that this algorithm may fail, even if small solutions exist. 

If c = 0, it is possible to find small solutions by means of continued frac- 
tions. Again, the Euclidian algorithm is used. But as before, this method is only 
heuristic, i.e. it does not succeed with all input. 

Our algorithm, on the contrary, works for arbitrary inputs. 

This paper is organized as follows: In Section 2 the security reduction algo- 
rithms of the RSA-OAEP and the RSA-Paillier cryptosystem are reviewed. In 
Section 3 we present our proposed algorithm for solving a two- variable modular 
equation with small solutions. In Section 4 the proposed algorithm is applied 
to the RSA-OAEP and the RSA-Paillier cryptosystem. In Section 5 we state a 
concluding remark. 

2 Security Reduction Algorithms 
of RSA-OAEP and RSA-Paillier 

In this section, we review the reduction proofs of the semantic security of RSA- 
OAEP and the one-wayness of RSA-Paillier. In both cases we are confronted 
with the problem of finding small solutions of modular congruences. We sketch 
the existing solutions which utilize lattice reduction methods. 

2.1 RSA-OAEP 

Let / : (0, l} k i — y (0, l} fc be a one-way trapdoor permutation. The random oracle 
reduction proof of /- OAEP states that if there is a CCA2-adversary against the 
semantic security of /-OAEP with a non-negligible advantage and running time 
t, then we are able construct an algorithm A with the following abilities: On the 
input f(si,S 2 ), A computes in time polynomial in t and in the number of the 
adversary’s queries to the different oracles (decryption and hash) a set S, such 
that the probability of si being an element of S is non-negligible, too. In few 
words, the semantic security of /-OAEP in the random oracle model is reduced 
to the partial-domain one-wayness of /. 

Now we consider the case / = RSA. We will sketch how the partial-domain 
one-wayness of RSA is reduced to its full-domain pendant. First, we introduce 
some notations. If x is a natural number, we write [x] 1 for the l most significant 
bits and [x]j for the l least significant bits of the binary representation of x, 
respectively. Let A' be a A:— bit RSA modulus and ko < k/2. Suppose there is 
an algorithm A that on the input C = m e mod N returns a set S of size q 
containing the integer x := [ m] k ~ k ° . We show how to solve the RSA problem 
(compute to from C = m e mod N) using A as a subroutine. Pick any a e 
at random and run A on the inputs C and C' := Ca e mod N. Because of the 
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homomorphic properties of the RSA function we know that C' is the encryption 
of ma mod N. Hence the two output-sets produced by A contain the k — ko most 
significant bits of m and ma mod N, respectively. We define u := [m] k ~ k °,r := 
[m]k 0 ,v := [mo mod N] k ~ k ° and s := [ma mod N] ko . Thus, m = u ■ 2 k ° + r and 
ma mod N = v ■ 2 k ° + s holds, leading to 

v • 2 k ° + 8 = a ■ {u • 2 k ° + r) mod N 

=> ar = s + c mod N, c = (v — ua) ■ 2 k ° mod N. (2) 

Thus for each of the q 2 possible combinations u, v taken from the output-sets 
of the two .4-runs, we get a linear modular congruence in the two unknowns r 
and s, where 0 < r,s < 2 k ° < y/N. Note that therefore the reduction cost is 
quadratic in q (the value q arises in the random oracle part of the RSA-OAEP 
security proof, namely q equals the number of Ass's queries to one of the hash 
oracles, where Ass is an adversary against the semantic security of the OAEP 
conversion scheme). This is the main reason why the RSA-OAEP security proof 
is not meaningful for real-life parameters. Of course, an improvement of the 
congruence-solving-step will not affect this problem. Hence it is an important 
future task to find a reduction proof where only one .4-run is needed. 

In the following, we call x, y a small solution of the congruence (2) iff 0 < 
x, y < 2 k ° holds. We explain how Fujisaki et al. find a small solution using the 
Gaussian reduction algorithm. This algorithm can be viewed as a generalization 
of the Euclidian algorithm in dimension 2. For all results concerning lattice 
theory see [MG02], [SF]. At first, compute a reduced basis (U. V) of the lattice 
L a ,N = {(x,y) € Z 2 1 ax = y mod N} using the Gaussian algorithm. As we can 
easily find a sufficiently short basis of L a>N , for example take the vectors (1, a) 
and (l,a + N), this can be done in time 0((log N) 3 ). Let T be a small solution 
and T 0 be any solution of (2). To find T 0 = (xq. ijq), we can choose xq as we like 
and then compute yo = ax o — c mod N. Define l = 2 fc °+ 2 and assume that L U:N 
is a so called l-good lattice, meaning that there exists no non-zero lattice vector 
shorter than l. This choice of l together with the properties of a reduced basis 
guarantee two important facts: in the first place, T is unique as a small solution 
of (2). Secondly, the coefficients of T in the basis (U, V ) are smaller than 1/2 in 
absolute value. Thus, the coefficients (in (U, V)) of the lattice point T — To can 
be constructed simply by taking the closest integers to the coefficients of —To. 
This is a consequence of the uniqueness of basis representation. From knowledge 
of T 0 and T — T 0 , we can easily construct T. 

But as stated above, this method only works if the randomly chosen a yields 
an l- good lattice. We already have seen that the absolute number of bad values 
for a can be bounded above by 2 2feo+6 , consequently the probability of choosing 
a bad value is smaller than 2 2feo+6-fc . The total advantage of this reduction is 
therefore greater than s' = s(e — 2 2fc °+ 6_fc ), where e denotes the advantage of 
the partial inverter A. Note that s' is non-negligible in k = log N, if s is non- 
negligible in k and if ko is adequate smaller than k, i.e. there is a rational number 
0 < t < 1/2 such that ko < tk. 
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2.2 RSA-Paillier 

Let A, e be the RSA public-key. The Hensel lifting problem of the RSA en- 
cryption function is to compute r e mod A 2 for a given ciphertext r e mod A. In 
2002, Sakurai and Takagi proved that RSA-Paillier is one-way iff the Hensel- 
lifting problem is hard [ST02]. Moreover, they introduced a reduction algorithm 
for solving the RSA problem using the Hensel-lifting oracle as a subroutine. But 
this algorithm was not efficient (i.e. for each bit of the secret message two oracle- 
calls were needed), and it could be proven to achieve a non-negligible advantage 
only in case of a perfect Hensel-lifting oracle. A short time later, Catalano et al. 
were able to show that the RSA problem could be solved by calling the (poten- 
tially non-perfect) Hensel-lifting oracle only twice [CNS02], hence they reduced 
the one-wayness of RSA-Paillier to the RSA problem. We shortly explain their 
technique in the following. 

Assume that a random RSA ciphertext c = r e mod A is given. We con- 
struct an algorithm that computes r given c, A, e using the Hensel lifting. The 
algorithm obtains r e mod N 2 by invoking the Hensel lifting oracle. Then it 
computes a e r e mod A for randomly chosen integer a £ (Z/NZ) X , and obtains 
p e mod A 2 from the Hensel lifting oracle, where p, = ar mod A. There is an 
integer z such that ar = /t( 1 + zN) mod A 2 . The integer z mod A can be com- 
puted due to a e r e = p e (l + ezN) mod N 2 . Consider the two-dimensional lattice 
L = {(R,U) £ Z 2 \aR = U(l + zN) mod N 2 }. By the lattice reduction algorithm 
we can find a vector (r',p') £ Lf) [1, . . . , A — l] 2 in polynomial time of log A. As 
the sought-after vector (r, p) is an element of L, too, we have the relationship 
r'p = rp' mod N 2 . Moreover, due to the size constraints 0 < r. r' , //, p! < A we 
conclude that in fact equality holds, i.e. r'p = rp! . 

Thus, r and p are multiples of r'/gcd(r',//) and /T/gcdfr', p'), respectively, 
with a factor that is given by gcd (r,n)- As with overwhelming probability this 
factor is sufficiently small, it can be found efficiently by an exhaustive search. 

Catalano et al. showed that their method works in time polynomial in log N 
with a non-negligible advantage, but they gave no concrete bounds. 

3 The Proposed Reduction Algorithm 

Let A be a natural number, 0 < a < N, 0<c<A, and gcd (a, A) = 1. In this 
section we give the outline of the algorithm LiruCong for finding small solutions 
of the two- variable linear modular congruence 

ax = y + c mod A. (3) 

To be more concrete, we introduce an algorithm for finding so-called x-minimal 
solutions of (3). 

Definition 1. The pair (x,y),0 < x < A, 0 < y < B is called a x-minimal 
solution of (3) with respect to the bound B,0 < B < N, if ( x,y ) possesses the 
following properties: 
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1. ax = y + c mod N. 

2. x fulfills the following minimality condition: If (x a it,y a it) is fl solution of the 

congruence (3) where 0 < y a i t < B holds, then we have x < x a i t - 

Note that due to the condition gcd(a, N) = 1 for each B there is exactly one 
x-minimal solution of (3) w.r.t. B. 

As a second step, we propose an efficient variant of the algorithm with com- 
plexity 0((log N) 3 ). One application of the new algorithm is to replace the lattice 
based methods used in the reduction proofs described above. Note that we al- 
ways use {0, 1, . . . , N — 1} as representatives for the residue classes modulo N. 
The outline of the proposed algorithm is as follows: 

Lin.Cong (Outline) 

Input: a, c, N, B, where 0 < o, B < N, 0 < c < N, and gcd(a, N) = 1 

Output: x, y such that ax = y + c mod N and x > 0 is minimal 
with respect to the property that 0 < y < B 

1. set a' = a, d = c, N' = N 

2. set y' = —d mod N' 

3. while y' > B do 

4. set ( a',N ') = (-N 1 mod a', a') (parallel assignment) 

5. set d = d mod N', y' = —d mod N' 

6. set y = y',x = a -1 • (y + c) mod N 

7. return ( x,y ) 


In the following, we describe the idea of the proposed algorithm. 

First note that gcd(a',N') = gcd (a,N) = 1 and a' < N 1 holds in any it- 
eration. Therefore we see that a' = 0 is only possible if the corresponding N' 
(the old value a') equals 1. If this is the case, in step 5 of this iteration we 
compute y' = 0 and the algorithm will terminate. Consequently, the assertion 
a' = —N 1 mod a ’ is always defined. 

Let ( x,y ) be the unique x-minimal solution of (3) w.r.t. B. We show that 
the algorithm Lin_Cong (Outline) on the inputs a,c,N,B returns (x,y). To be 
more precise, the algorithm finds y and then computes the corresponding x = 
a_1 ‘ (y + c) mod N. The main idea of the algorithm is to reduce the original 
problem to a smaller instance and iterating this process. This is done as follows: 
From ax = y + c mod N we deduce ax = y + c + kN for a suitable k € Z. 
Euclidian division yields N = aq + r with 0 < r < a and a positive integer q. 
Hence we have 

ax = y + c+ kN = y + c+ k(aq + r) => —rk = y+ c+ a(kq — x) 

=> —rk = y + c mod a 

Therefore we have constructed a new linear modular congruence with the new 
module a in the role of N and the new factor — r = —N mod a in the role of a. 
A solution of this new congruence is given by (k,y) = { ax ~^~ c ,y)- The crucial 
point is the fact that this solution is the .E-minimal solution w.r.t. B of the new 
congruence. 
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We define the following sequences by iterating this process: 

N 0 = N ao = a Co = c xo = x 

Ni+i = a< a*+i = —Ni mod a* Cj+i = Cj mod W+i »,+i =4 

Note that the first three columns exactly describe the corresponding se- 
quences produced by the algorithm Lin.Cong (Outline). For this reason, we denote 
by /Lin.Cong the transformation ( Ni,a,i,Ci ) i->- (JVf + i,aj + i,Cj+i). Let us write 
Cong,- for the linear modular congruence defined with the parameters a t . c, and 
Ni. Inductively, we conclude that the value x t occurring in the last column leads 
to a solution (xj,y) of cong,. Moreover, we can deduce the following lemma (for 
the rather technical proof see Appendix A): 

Lemma 1. Let ( Xj,y ) be the x-minimal solution of cong^ w.r.t. B and letxi > 0. 
Then ( Xi+i,y ) is the x-minimal solution of cong i+1 w.r.t. B. In particular, the 
y-value of the current x-minimal solution w.r.t. B does not change during the 
transformation f Lm-Cong, as long as x* is non-negative. 

Hence with each iteration of the while loop the transformation /Lin_Cong 
constructs a smaller problem, because the sequence of the moduli Mt is strictly 
monotone decreasing. The problem of finding the x-minimal solution is trivial 
in the following case: 

Definition 2. Let a, c, N, B be integers, where 0<a,B<N,0<c<N, 
and gcd(a, N) = 1 hold. The congruence ax = y + c mod N satisfies the zero- 
minimum condition with respect to B, if —c mod N < B holds. 

In fact, it is an easy observation that the x-minimal solution of the congru- 
ence ax = y + c mod N w.r.t. B is given by the pair (0, — c mod N) iff ax = 
y + c mod N satisfies the zero-minimum condition w.r.t. B. The aim of the algo- 
rithm Lin.Cong (Outline) is to convert the original congruence into a congruence 
satisfying the zero-minimum condition w.r.t. B. This is done using the trans- 
formation /Lin.Cong, which does not affect the y-value of the current x-minimal 
solution w.r.t. B. 

Indeed, we can prove the correctness of algorithm Lin.Cong (Outline): 

Theorem 1. Algorithm Lin Cong (Outline) is correct, i.e. given integers a,c,N, 
B, where 0<a,B<N,0<c<N, and gcd(a, N ) = 1 holds, the algorithm 
terminates and outputs the unique x-minimal solution x, y of the congruence 
ax = y + c mod N with respect to the bound B (see Definition 1 ). 

Proof. Let y t denote the y-value computed by the algorithm Lin.Cong (Outline) 
in the <th iteration of the while loop. Note that per definition this value yields 
the solution (0, y,) of cong t . For each i = 0,1,2,... the following holds: Either 
congj satisfies the zero-minimum condition w.r.t. B and consequently (0,yj) is 
the x-minimal solution of cong i w.r.t. B. Or x. ( , the x-value of the x-minimal 
solution of cong^ is greater zero and lemma 1 tells us that (x i+ i,y) equals the 
x-minimal solution of cong i+1 w.r.t. B. As the sequence of the moduli N, is 
strictly monotone decreasing, there must be an i > 0 such that congi satisfies 
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the zero-minimum condition w.r.t. B. If this iteration is reached (i.e. we have 
Vi < B for the first time), then (0, y-i) = ( aq,y ) must hold because according to 
lemma 1 we know that the y- value of the x-minimal solution w.r.t. B has not 
changed. Obviously, the x-value computed in step 6 is the correct one. 

Analyzing algorithm Lin.Cong (Outline) we see that the parallel assignment in 
step 4 describes a variant of the Euclidian algorithm (set (a, b ) = (— b mod a, a) 
instead of set (a, b) = ( b mod a, a) for a < b). Obviously, the result remains the 
same, but unfortunately the variant is less efficient. In particular, in the worst 
case we need a — l steps (to see this, try a = b — 1), which is by far not fast 
enough. But some modifications may be helpful: A closer look at the recursion 
formula (a, b) = (—6 mod a, a) discloses, that problems occur if b — a « a holds. 
In the following steps the difference b — a is subtracted from a and b until the 
resulting a is smaller than b — a. This procedure may take a long (too long) 
time. Its result will be ( a mod (b — a),b — k(b — a)), where k equals a 4- (b — a) 1 . 
Therefore we gain a notable speedup by the following case differentiation: 

if b — a > a then set (a, b) = (—6 mod a, a) 

else set (a, b) = ( a mod b — a, b—k(b—a)) with k = a-=-(6— a). 

But we need to be a little careful if we wish to assign this idea to the original 
algorithm (with a' in the role of a and N' in the role of b). In detail, we must 
not ignore a reduction of the value d which would have occurred in one of 
the skipped steps. A possible way out is to skip fewer steps, i.e. we subtract 
N' — a ' until the resulting a ' is smaller than N' — a' or d is greater than the 
resulting N' . We will see in a while that these modifications are good enough 
to yield a polynomial running time (in logiV). But before doing so, we have to 
face a last problem: It is possible that the value y we are seeking for would be 
computed in one of the skipped steps. Note that in each skipped step the value 
y' = — d mod N' is reduced by the amount N' — a' (this is true because due to 
the above considerations the value d remains constant). Hence if the resulting y' 
exceeds the bound B, all the “invisible” values y’ computed during the skipped 
steps do so, too. This means that it is possible to miss the sought-after value y 
only in the last while cycle before termination. So we avoid missing the correct 
y by doing the following: If steps have been skipped during the last while cycle 
add N' — a' to the current value y' until y' + k(N' — a') exceeds B for the first 
time. Then set y = y 1 + (k — 1 )(N' — a') and compute the corresponding x-value 
as usual. 


3.1 Algorithm Liri_Cong 

The proposed algorithm LiruCong is as follows: 
1 x y denotes the Euclidian quotient of x and y 
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Lin.Cong 


Input: a 

, c, N, B, where 0 < a, B < 

N, 0 < c < 

N, and gcd(a, N) = 1 

Output: 

x, y such that ax = y + c mod N and ; 

x > 0 is minimal 


with respect to the property that 0 < 

y < B 

1. set a! 

= a, d = c,N’ = N 



2. set y' 

= — d mod N' 



3. while 

y' > B do 



4. 

set diff=A r ' — a' 



5. 

if diff < a' and diff < N' - 

-d 


6. 

then set k = min(a' 4- diff, (N 1 2 — d) 

4- diff) 

7. 

set (a', AT') = (a' - 

- k ■ diff, N' ■ 

- k ■ diff) , set flag = 1 

8. 

else set ( a',N ') = ( —N ' 

mod a', o'), 

set flag = 0 

9. 

set d = d mod N', set y' 

= —d mod j 

N' 

10. If flag = 1 then set k = 

— 1, set y = 

- y' + k ■ diff 

11. 

else set y = y' 



12. set & 

• = a -1 • (y + c) mod N 



13. return ( x,y ) 




We can prove the following theorem: 

Theorem 2. a) The complexity of the algorithm Lin.Cong is 0((log AT) 3 4 ). 

b ) Let a , c, N, B be integers, where 0<a,B<N,0<c<N, and gcd(a , n) = 1 
holds. Algorithm Lin_Cong on the inputs a,c,N,B finds a small solution 
0 < x,y < B of the congruence ax = y + c mod N, provided such a solution 
exists at all. 

Proof. From the discussion above we know that on each input the algorithm 
Lin.Cong computes the same output as its slower variant Lin.Cong (Outline). 
Thus the second part of the theorem is an immediate consequence of theorem 

1. So it remains to show that algorithm Lin.Cong runs in polynomial time. We 
distinguish four cases 

1. The condition in step 5 is not fulfilled due to N' — a' = diff > a'. Hence the 
else-case in step 8 is entered. From N' > 2a' we deduce that the assignment 
N' = a' at least halves the value of A". 

2. The condition in step 5 is not fulfilled due to N' — a' = diff > N' — d . Hence 
the else-case in step 8 is entered and N' is assigned to o'. Because of a' < d 
the reduction of d modulo N'(= a') in step 9 at least halves the value of d. 

3. The condition in step 5 is fulfilled and the value k computed in step 6 equals 
a' -j- (N 1 — a'). In this case, the assignment a' = a' — k ■ ( N ' — a') done in 
step 7 is equivalent to a' = a ' mod ( N ' — a'). As we have N' — a' < a' , this 
assignment at least halves the value of a'. 

4. The condition in step 5 is fulfilled and the value k computed in step 6 equals 
( N ' — c) 4- (N' — a'). The value of k is chosen in order to achieve that 
N' — (k + 1) ( TV' — a') < d holds. Hence the reduction of d modulo N' in 
step 9 of the following while cycle at least halves the value of d . 
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Summing up, we see that at least in each second while cycle at least one of 
the values a', c' and N' is at least halved. Note that the algorithm terminates 
at once if a' = 0 ,d = 0 or N' = 1 holds. So the number of while cycles is 
bounded above by log a + 2 log c + log N. Each step during the while loop can be 
done in 0((log A) 2 ), therefore the time complexity of the algorithm Lin.Cong is 
0((loglV) 3 ). 

3.2 Finding All Small Solutions 

In this subsection we show that algorithm Lin.Cong can be modified to find 
all small solutions ( x,y ) of the linear modular congruence (3). We call (x, y) a 
small solution, if 0 < x, y < VN is satisfied. The time needed for computing all 
small solutions is 0((loglV) 3 ) + lO (log N), where l is the absolute number of 
small solutions. The most important observation is that there is a quite simple 
relationship between all the small solutions in the case of c = 0. The general 
case c ^ 0 can be easily derived from the special case. We will see that in both 
cases all small solutions are located on the same line. 


The Case c = 0. Let (xo,yo) and (x\ , yi) be two different small solutions of 
ax = y mod N, gcd(a, N) = 1, (4) 


ax o = yo mod N and ax\ = y\ mod N, 


leading to 


XqUi = aqj/o mod N. 


But due to the size-constraints we deduce that this relationship even holds in 
Z. Consequently, all small solutions are located on the same line through the 
origin. Hence to get all small solutions we simply have to compute all integer 
multiples (kx,ky),k G Z -°,kx,ky < y/N, where (x,y) is the smallest non-zero 
solution of (4). This solution can be obtained using algorithm Lin.Cong. If we 
run algorithm LiruCong on an input with c = 0, then it will terminate at once 
with the result (0,0). But we are seeking for a non-zero solution, hence we 
exploit the relationship ax = y mod N 4=> a(x — 1) = y — a mod N. Namely, we 
run Lin Cong on the input (a, N — a,N, VN), get the result (x', y'), and return 
(x,y) := (x' + 1 ,y'). Theorem 1 shows that (x, y) indeed yields the smallest 
non-zero solution of (4). 


The Case c ^ 0. Let (x, y) be the small solution computed by algorithm 
Lin.Cong on the input ( a,c,N,\/N ) and let ( x a it,y a it ) be a different small so- 
lution. In particular, the difference (x a i t — x. y a i t — y) is a non-zero solution of 
(4). As x is minimal, we know x < x a i t . Thus we conclude 0 < x a it — x < 
VN, —VN < y a jt — y < VN. We distinguish two cases: 
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1. If y a it > y holds, then (x a [ t — x,y a i t — y) is a small solution of (4) and can 
be found as described above. 

2. Otherwise (x a i t — x,y a i t — y) is a solution of (4), too, but only small in 
absolute value (with a negative y-component). It is easy to see that we can 
find all solutions (x, y), 0 < x < y/N, —\JN < y < 0 of (4) by computing all 
small solutions of {—a)x = y mod N as usual and then changing the signs of 
the y-components. 

Note that at most one of these two cases may appear, because if there are 
two additional small solutions (x a i t i,y a [ t i) and (x a [ t 2 , yait/i) with y 0 ui > y and 
Vain < V, then the three differences (x a in ~ x,y a it l - y), (x a it 2 - x,y a it 2 - y) 
and (x a it i — x a it 2 ,y a iti — Vaiti ) must be located on at most two lines through the 
origin, a contradiction. 

This leads to the following algorithm: 

Lin_Cong_AII 

Input: a, c, N, where 0 < a, c < N, and gcd(a, N) = 1 
Output: Set S = {(x, y)\ax = y + c mod N,0 < x,y < VN} 

1. set S = {}. 

2. set (x,y) =Lin_Cong (a,c,N,y/N) 

3. if x > y/N then return S and stop 

4. else append (x, y) to S 

5. set (a/, y') =Lin_Cong(a, N — a, N, \/N) 

6. set (xo,yo) = (x’ + 1 ,y'), set k = 1 

7. while x + kx o < \/N and y + kyo < y/N do 

8. append ( x + kx o, y + kyo ) to S and increment k 

9. if #S > 1 then return S and stop 

10. set (x', y') =Lin_Cong(N' — a, a, N, \/N) 

11. set ($ 0 , yo) = (x 1 + 1, —y'), set k = 1 

12. while x + kx o < y/N and y + kyo > 0 do 

13. append (x + kxo,y+ kyo ) to S and increment k 

14. return S 

In step 2, we use algorithm Lin_Cong to compute the small solution with the 
minimal x-coordinate x. If even x exceeds the bound y/N, then obviously no 
small solution exists at all. The value (xo,yo) computed in step 6 equals the 
smallest non-zero solution of (4). As we have seen above, each sum of (x,y) and 
an integer multiple of (xo,yo) yields a solution of ax = y + c mod N. But as 
x is minimal, we only have to consider factors k > 1. If there is at least one 
small solution ( x + kxo,y + kyo), we know that all small solutions have to be of 
this shape. Hence the while loop in step 7 and 8 has finds all remaining small 
solutions and the algorithm terminates. Otherwise we compute the smallest non- 
zero solution of ax = y mod N with a negative y-component (step 10 and 11) 
and proceed in the same way as before. 
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3.3 Comparison with the Continuous Fraction Method 

Another often used method for finding small solutions of linear modular con- 
gruence where the affine coefficient c equals zero is obtained by the continued 
fraction expansion. We call this method the Euclidean reduction (See [HW79] 
for the comprehensive treatment). To resume, this method finds all fractions | 
nearby a rational number a (i.e. we have \a — || < ^ 2 ), where the fractions | 
come in their lowest terms. Assume that we want to find small solutions that do 
not exceed y/N of the congruence ax = y mod N, where gcd(a, TV) = I holds. 
As we have already shown in subsection 3.2, all these solutions are located on 
the same line through the origin. Therefore there exists a solution ( x,y ) such 
that gcd(f , y) = 1 is fulfilled. From ax = y mod N we conclude that there is an 
integer k such that ax = y + kN. We have 



If 2 xy < N holds, the upper-bound of y/Nx is l/2£- 2 . If in addition the rational 
number k/x is irreducible, i.e. gcd(fc, x) = 1, we can find the integer x and thus y 
by using the Euclidian reduction method. Note that gcdffc, x) = 1 holds because 
gcd(f , y) - I is satisfied. If gcdffc, x) - I is not true, there is an integer S > 1 
such that gcd (k, x ) = 6. From ax — Nk = y, we have 6\y and hence c>| gcd(x, y). 
It contradicts to gcd(f , y) = 1. Summing up, we can use this method if we know 
that the product 2 xy does not exceed N. Consequently, we prefer the use of 
algorithm Lin_Cong, which finds x,y, even if 2 xy < N is not fulfilled. 

4 Security Reduction Analysis 
Using the Proposed Algorithm 

In this section, we show how algorithm LimCong may be applied to the reduction 
proofs of RSA-OAEP and RSA-Paillier. In the case of RSA-OAEP we will upper- 
bound the number of bad values a by 2 2feo+1 , compared to the former bound 
2 2fco+6 . Regarding to RSA-Paillier, we will give an explicit reduction algorithm 
based on the work of Catalano et al. [CNS02]. We will achieve reduction time 
2f + 0((loglV) 3 £ _2 ) and advantage e' > e 2 /5 where t and £ are the time and 
the advantage of the Hensel-lifting oracle, respectively. 

4.1 Application to RSA-OAEP 

In section 2.1 we have described the reduction proof given by Fujisaki et al. 
[FOPSOl]. Remember that they have constructed the following congruence 

ax = y + c mod N, c = (v — ua) ■ 2 k ° mod N, (6) 

where u and v are built of the k — ko most significant bits of m or ma mod 
N, respectively. In the RSA-OAEP case we call (x, y) a small solution of the 
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congruence (6) iff 0 < x,y < 2 k ° holds. The congruence (6) is known to have the 
small solution (r, s) , where r is built from the remaining ko least significant bits 
of m. 

In section 2.1 we have already seen that the lattice based method only works 
if the randomly chosen value a yields an l- good lattice. In contrast, algorithm 
Lin.Cong always finds a small solution, provided a small solution exists at all. 
But it has to be stressed, that referring to the lattice method the choice of a good 
value a ensures that there exists exactly one small solution. This is an important 
property, because if the small solution (r, s) is not unique, there is of course no 
warrant that the solution computed with our algorithm is the correct one. A 
possible way out is to use algorithm Lin.Cong AM I instead, which computes all 
small solutions, and to test each of them. But this is only efficient if the set of 
small solutions is not too big. Let l be a “sufficiently” small natural number. We 
want to bound above the probability that the number of small solutions does not 
exceed l. As we have seen in subsection 3.2, each small solution is of the shape 
(. x + kxo,y + kyo ), where (x, y) is the special solution computed by the algorithm 
Lin.Cong and ( xq . yo) is either the shortest element of { (x, y)\ax = y mod N, 0 < 
x,y < 2 k °} or (a-'o, yo) is the shortest element of {(x,y)\ax = y mod N, 0 < x < 
2 k °,—2 k ° < y < 0}. Hence there are at most l small solutions of (6), iff the 
congruence ax = y mod N has no solution (x,y), where 

0 < a; < 2 k ° /l, —2 k °/l < y < 2 k °/l. (7) 

We call a a bad value, if there exists a solution of ax = y mod N fulfilling the 
size constraints (7). If (7) holds for ( x,y ), then there is exactly one a such that 
(x, y) is a solution of ax = y mod N, namely a = x _1 y mod N. Note that due 
to the size constraints no problems of computing modular inverses occur. Hence 
there are at most 2 2k °+ 1 /l 2 bad values of a. The maximal number is 2 2ko+1 for 
1 = 1 . 

Therefore, in case of using the lattice solution the probability to choose a bad 
value a is at least 2 s times greater compared with the corresponding probability 
in case of using algorithm Lin_Cong_AII. We finish with the following theorem: 
Theorem 3. Assume there is an adversary that on input N, e, m e mod N re- 
turns the k — ko most significant bits of m with advantage e and in time t, where 
N is a k-bit RSA modulus, e is a public key belonging to N and 2ko < k holds. Let 
l < (log N) 2 be any natural number. Then with advantage e' > e(£—2 2ko+1 ~ k /l 2 ) 
and in time 2t + 0((logN) 3 ) we can compute a set S with m £ S and #S < l. 

If we set l = 1 we get the following corollary: 

Corollary 1 Assume there is an adversary that on input N, e, m e mod N re- 
turns the k — ko most significant bits of m with advantage e and in time t, where 
N is a k-bit RSA modulus, e is a public key belonging to N and 2ko < k holds. 
Then we can break the RSA problem related to (N,e) with advantage at least 
e(e - 2 2ko+1 ~ k ) and in time 2 1 + 0((logN) 3 ). 

Note that this achievement is the more valuable the smaller the difference 
k — 2ko is. However, in the case of PKCS #1 v2.0, ko is much smaller than k/2, 
therefore in this case the result is rather of theoretical nature. 
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4.2 Application to RSA-Paillier Cryptosystem 

In section 2.2 we have described the reduction proof given by Catalano et al. 
[CNS02]. Remember that they have constructed the following congruence 

Ax = y mod TV 2 , A = a(l + zN ) _1 = a(l — zN) mod TV 2 , (8) 

which is known to have the solution (r, y), where r. y are elements of Z/NZ 
and r is the sought-after RSA message. Hence (r, y) is a small solution of (8) as 
described in subsection 3.2, where we have seen how to find all small solutions. 
To be concrete, Lin.Cong on the input ( A, TV 2 — A, TV 2 , TV ) finds the smallest 
non-zero solution of (8) and all other small solutions come as integer multiples 
of this special solution. 

We describe the explicit reduction algorithm as follows: 

OW-RSA-Paillier 

Input: (TV, e) RSA Public-key, c ciphertext, Orsap Hensel-Lifting oracle 
Output: Message r such that c= r e mod TV or an integer divisor of r 

1. obtain t = Orsap{c) 

2. generate random a £ (Z/TVZ) X 

3. obtain s = Orsap^c mod TV) 

4. compute v = fa e s _1 mod TV 2 

5. compute 2 mod TV 

6. compute A = a(l — zN) mod TV 2 

7. compute (x, y) =Lin_Cong(A, TV 2 — A, TV 2 , TV) 

8. return x + 1 

Obviously, the running time of this algorithm is 0((log TV) 3 ) plus the time 
needed for calling the Hensel-Lifting oracle twice. To receive the original value 
r, we have to test if ( kr) e = c mod TV, where the multiplier k runs from 1 to (the 
unknown number) gcd(r, y). In the following, we upper-bound the probability 
that gcd (r,y) is not sufficiently small. We exploit the following estimate (see 
[NZM91]): 


7T 2 / 2 TV 2 — 2TV \ 

T VlrwTr/vTiy 


Hence we have 


Al ^ 7T 2 / 2TV 2 + 2TV \ 
^ i 2 < T \ 4TV 2 + 4TV + 1 ) 


#{(a, b) e [1, • ■ • , TV] 2 |gcd(a, b) > B} < Ets+i f' 

^ JV 2 7T 2 f 2N 2 +2N 2B 2 —2B ^ 

^ 4B 2 +4B+1 ) 


( 1 _ 2B 2 — 2B \ 

2 4B 2 +4B+1 J ■ 


As a simple computation shows that 

1 2B 2 -2B 1 

2 4 B 2 + 4S + 1 < S’ 
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we finally conclude 

#{(a,b)€[l,...,N] 2 \gcd(a,b)>B}< 4 ^. 

The values r and p are independently chosen and uniformly distributed ele- 
ments of Z/jVZ. Replacing 5e -2 for B, we therefore deduce that the probability 
that gcd(r, p) exceeds 5e~ 2 is bounded above by 4e 2 /5. 

This leads to the following theorem: 

Theorem 4. Let Orsap be the Hensel-lifting oracle that computes r e mod N 2 
for given r e mod N with advantage e and in time t. Using Orsap os a subrou- 
tine, we can break the RSA problem ( N , e) with advantage s' > e 2 jh and in time 
2t + 0{{\ogNfe~ 2 ). 


An Example of OW_RSA_Paillier. We present a small example of reduction 
algorithm OW_RSA_Paillier. We choose the public- key of the RSA-Paillier cryp- 
tosystem as (e,N) = (7,9359629). In our case N 2 is equal to 87602655017641. 
Let c = 2592708 be the target ciphertext. We intend to find the integer r such 
that c = r e mod N using the oracle Orsap- 

In step 1 we ask c to oracle Orsap , and we obtain t = Orsap(c) = 
37278188147938. In step 2, a random integer a e (Z/7VZ) X is generated, and 
we choose a = 5973500. In step 3, we compute p e = a e c mod N, ask it to oracle 
Orsap(p b mod N), then we obtain p e mod N 2 = 59913274976876. In step 4 
and 5, integer z such that ar = p(l + zN) mod N 2 is computed, and in our 
case z = 9040417. In step we obtain the linear equation Ar = p mod N 2 for 
A = 35049167803493 and two unknown variables 0 < r,/i < N. 

In the following, we solve this linear equation using algorithm Lin_Cong. We 
list up the intermediate values of N 1 , a', d and ?/, where N', a' and d are initial- 
ized with N 2 , A and N 2 — A. The while loop terminates if y' < N holds. Step 10 
and 11 of LiruCong are dedicated to compute the output values x and y, which 
in our case equal r — 1 and p. 


m 

87602655017641 

35049167803493 

17544848392838 

40528982183 

4200892401 

1479941827 


35049167803493 

17544848392838 

40528982183 

4200892401 

1479941827 

238933080 


53559692 


192589733 

7216345 


52553487214148 

17504319410655 

17504319410655 

36328089782 

2720950574 

1241008747 

46343347 

46343347 


V 

' 35049167803493 
17544848392838 
40528982183 
4200892401 
1479941827 
238933080 
192589733 
7216345 




The output values are (1835097,7216345) = (r — l,p). Namely, we success- 
fully find r = 1835098. 


5 Conclusion 

In this paper we investigated several security reduction algorithms related to 
RSA-OAEP and RSA-Paillier cryptosystems. These algorithms require to solve 
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a linear modular equation with a small solution The standard algorithms for 
solving this task are Gaussian reduction and Euclidean reduction. We proposed 
an efficient alternative algorithm and showed its preferences. In the case of RSA- 
OAEP we were able to enhance the advantage of the reduction proof. Referring 
to RSA-Paillier, the use of our new algorithm provides us the complete secu- 
rity reduction proof, including explicit bounds for time costs and the achieved 
advantage. 
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A Proof of Lemma 1 

Before starting the remaining proof of lemma 1, we recapitulate the notations 
given in section 3: We write (x, y) for the unique x-minimal solution of the con- 
gruence ax = y + c mod N w.r.t. the bound B. The variables y, , a, . Ni and c, 
constitute the corresponding values produced by the algorithm Lin_Cong (Out- 
line) in the «th iteration of the while loop, and the value x, is computed from 
Hi \,Ci-\.y and by aq = . The linear modular congruence 

aix = y + Ci mod N, is abbreviated by cong, . 

At first, we introduce a kind of “solution lifting”: 

Proposition 1 Let ( x,y ) be a solution of cong i+1 . Then the pair 

is a solution of congi . If in addition 0 < x, y < 7Vj + i holds then 0 < y+ Ci + xNi < 

Ni is fulfilled. 

Proof. Note that the value a* = Nj i cannot be zero, since otherwise iteration 
(/— I ) would not have been reached. First, we show v+c> £ x 1 € Z. The recursion 
formulas define N i+1 = a, and c i+1 = c, : mod N i+1 = c, : mod a*. Hence there is 
an integer l such that q+i equals Ci + la,. As (x. y) is a solution of cong i+1 we 
conclude 


a, | y + Cj + 1 — xai + \ = y + (c* + laf) — x(—Ni mod af) =>■ a* | y + c, + xNj 

It follows immediately that ^ ; y^j i s an integer solution of cong,-. 

Now assume 0 < x, y < A)+i = a*. We have 

y + Cj + xNi < y + c* + (a, — l)Ni < ai + N t + (a* — 1 )N t = a, + aiNi 

Therefore we conclude Ni + 1, which finishes the proof. 

Now we are prepared to prove lemma 1. 

Lemma 1. Let ( aq,y ) be the x-minimal solution of congi w.r.t. B and letxi > 0. 
Then (aq_|_i,y) is the x-minimal solution of cong i+ i w.r.t. B. In particular, the 
y-value of the current x-minimal solution w.r.t. B does not change during the 
transformation f un-Cong, as long as aq is non-negative. 

Proof. Assume that ( x a it,y a it ) is a solution of cong i+1 where 0 < x a it < Ajft-i 
and 0 < y a it < B. Our goal is to show x a it > Xi + i > 0. 

First we prove that aq+i is non-negative. Note that a, > 0 must hold because 
otherwise the iteration (i + 1) of the while loop would not have been reached. 
From the definition of x»+i = aiXi ~y~ Ci and the condition aq > 0 we therefore 
conclude y + Ci + ai^iJV, > 0. Assume Xi + \ < 0. Hence we have 


y + Ci > Ni 


y > Ni — Ci > — Ci mod Ni = y*. 
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Thus (0, yi) is a solution of cong i with iji < B. This contradicts the preconditions, 
namely that ( Xi,y ) is the x-minimal solution of cong i w.r.t. B and x t > 0. 
Consequently, we must have aq + 1 > 0. 

From proposition 1 we conclude that the pair 

f Valt + Ci + XaltNi \ 

( * H 


is a solution of cong^ in particular we have 0 < 

is the ai- minimal solution of cong. ( w.r.t. B, we conclude 


Volt +Ci+ XgltNj 


\Xj - Valt - Cj 

Ni 


< Ni. As ( Xi,y ) 


(9) 


In the case of y a i t < y this immediately leads to the desired result x a i t > x i+ i = 
aiXi ~ y ~ Ci . Thus we consider the case y a i t > y. Looking at the difference between 
x: i+ \ and the right side of (9) we observe 


Xi+ 1 - 


a-iXi - y a it - Ci 

Ni 


-y+ Valt 
Ni 


(10) 


Note that the last inequality must hold since in the case of Ni < B the iteration 
(i + 1) of the while loop would not have been reached. Therefore we finally 
conclude x a i t > x-,+i from (9), (10), and the fact that both of x a i t and aq + i are 
integers. 
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Abstract. Provable security usually makes the assumption that a 
source of perfectly random and secret data is available. However, in 
practical applications, and especially when smart cards are used, ran- 
dom generators are often far from being perfect or may be monitored 
using probing or electromagnetic analysis. The consequence is the need 
of a careful evaluation of actual security when idealized random genera- 
tors are implemented. 

In this paper, we show that Esign signature scheme, like many cryptosys- 
tems, is highly vulnerable to so called partially known nonces attacks. 

Using a 1152-bit modulus, the generation of an Esign signature requires 
to draw at random a 768-bit integer. We show that the exposure of only 
8 bits out of those 768 bits, for 57 signatures, is enough to recover the 
whole secret signature key in a few minutes. 

It should be clear that we do not cryptanalyze a good implementation 
of Esign nor do we find a theoretical flaw. However, our results show 
that random data used to generate signatures must be very carefully 
produced and protected against any kind of exposure, even partial. 

As an independent result, we show that the factorization problem is 
equivalent to the existence of an oracle returning the most or least sig- 
nificant bits of S mod p, on input S randomly chosen in Z pq . 

Keywords: Esign signature scheme, Lattice reduction, LLL algorithm, 
Factorization problem. 

1 Introduction 

Most cryptographic systems make use of random sources for a range of applica- 
tions. Random data may, for example, be transformed into secret or private keys 
for encryption or signature. From a provable security point of view, it is common 
to assume one has access to a source of perfect randomness. However, such an 
assumption is far from being totally realistic in many practical applications. The 
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first problem is that a true random number generator must be based on some 
kind of physical noise source. Such a generator is not commonly accessible on 
standard computers. When smart cards are used, the situation is even worse 
since such devices only have access to a very poor and constrained environment. 
The consequence is that random data is often simulated using a pseudo-random 
number generator. 

In practical applications, there is a danger of adding weaknesses by using a 
biased generator or a weak pseudo-random number generator. Furthermore, with 
devices such as smart cards, the risk of secret data exposure by the way of probing 
or electromagnetic analysis may be increased if the random number generator is 
separated from the rest of the chip. As a consequence, a crucial question, when 
we consider practical security, is the impact of partial exposure of this random 
data for systems which have been proved secure under the assumption that a 
source of perfectly random and secret data is available. 

The answer strongly depends on the application one considers. Usually, key 
generation is viewed as a crucial issue and people agree that a lot of care must 
be applied to the production of key material. However, does the exposure of one 
third of a 128-bit AES key have any real practical implication in usual appli- 
cations? Such a question is of course rather controversial, but the complexity 
of an exhaustive search on the remaining secret bits, about 2 85 block encryp- 
tions, might still be thought prohibitive. The same reasoning may be applied 
to other applications such as the choice of nonces or initial vectors. However, 
in some cases, partial exposure of secret information can have a far more dra- 
matic consequence on the security of the system. Our first example is related 
to RSA with short public exponent. Boneh, Durfee and Frankel [6] have shown 
that the exposure of a quarter of the secret exponent enables one to factor the 
modulus in polynomial time. Similar results on DSA signature scheme are even 
more impressive. This scheme uses 160 bits of fresh random data, often called 
on-time key or ephemeral key, for each signature generation. It is well known 
that the exposure of those data enables to recover the secret signature key very 
easily. Howgrave-Graham and Smart [16] applied lattice reduction techniques to 
prove that the knowledge of only 8 bits out of the 160 bits of ephemeral keys 
for 30 signed messages enables to recover the secret key in a few seconds! In the 
same vein, following Boneh and Venkatesan [7], Nguyen and Shparlinski [19] have 
shown that indeed only 3 bits out of the 160 bits of each one-time key, for 100 
messages, are enough to make the attack feasible. Finally, Bleichenbacher [3] has 
shown that if just one bit out of the 160 bits is biased, as was the case with the 
pseudo-random generator initially proposed by NIST [21], it is possible to mount 
an attack with time complexity 2 64 , memory complexity 2 40 and 2 22 signatures. 

Another analysis of the security of DSA in practical implementations, was 
done by Bellare, Goldwasser and Micciancio [2]. They did not assume partial 
exposure of ephemeral keys but their randomness was generated by a weak 
pseudo-random number generator, namely the linear congruential generator. In 
this case, DSA is totally insecure and the knowledge of a few signatures leads to 
the computation of the secret signature key. 
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All these results show that in some applications, such as DSA, data must 
be perfectly random and must remain completely secret. This does not mean 
that DSA is not secure but it points out a potential source of weakness. In 
actual implementations, the mechanism used to generate random data must be 
carefully chosen and evaluated, both from an algorithmic point of view and from 
a technological point of view. For example, electromagnetic analysis or probing 
techniques may enable one to learn a few random bits, even if it is not possible 
to recover the whole secret by these means. The above mentioned results show 
that the knowledge of a very small part of those bits is enough to totally break 
systems such as DSA. 

Our Results 

In this paper, we focus on the practical security of the Esign signature scheme 
[11]. Of course, in practical applications, this scheme is much less used than 
DSA. However, Esign could be preferred in many scenarios from a computa- 
tional efficiency point of view. This is important when the signature device has 
low computing resources, which is the case with smart cards for instance. For 
applications such as on the fly signature with a contactless card (typical for fast 
and secure payment in the subway), Esign may be a very good candidate. Its 
practical security must consequently be carefully analyzed. 

The technique we develop, and apply to careless Esign implementations, is 
of independent interest. It may be applied to other factorization based cryp- 
tosystems. Assuming partial exposure of a very small part of some secret data, 
our lattice reduction based technique allows one to factor the modulus very ef- 
ficiently. Typically, this may be applied to the optimization of some SPA/DPA 
attacks on RSA systems [22,10]. 

In this paper, we describe an efficient technique based on the partial exposure 
of a few bits of Esign ephemeral keys. More precisely, using a 1152-bit modulus, 
the generation of an Esign signature requires to draw at random a 768-bit integer. 
We show that the exposure of only 8 bits out of those 768 bits for 57 signatures 
is enough to recover the all secret signature key in a few minutes. 

It should be clear that we do not propose neither a cryptanalysis of Esign nor 
a theoretical flaw. However, our results show that random data used to generate 
signatures must be very carefully produced and protected against any kind of 
exposure, even partial. 

Previous Works 

The hidden number problem (HNP) has been described by Boneh and Venkate- 
san in [7] in order to prove the hardness of the most significant bits of secret 
keys in Diffie-Hellman and related schemes in prime fields. The HNP can be 
defined as follows: given s%, ■ ■ ■ ,Sa chosen uniformly and independently at ran- 
dom in Z q * and MSB o.s., mod q) for all i, the problem is to recover a € Z q *. 
Here, MSB^(x) for x G Z q denotes any integer z satisfying \x — z\ < q/2 e+1 . 
In [7], the authors present a simple solution to this problem by reducing HNP 



The Insecurity of Esign in Practical Implementations 495 


to a lattice closest vector p roblem (CVP). In particular, th ey sho w that the 
HNP can be solved if t > y/log(q) + log(log(g)) and d = 2-^/log (q). According 
to [20], using the best known polynomial-time CVP approximation algorithm 
due to Ajtai et al. [1] and Kannan [17], l can be asymptotically improved to 
0(y/\og(q) log(log(log(g)))/ log(log(g))). 

In this paper we consider a problem related to a HNP problem modulo a 
secret value and we propose an algorithm to solve it. In [4], Boneh also mentions 
the HNP modulo N = pq. Now, p and q denote the factors of a modulus N. 
Our problem can be formulated as follows: given si,...,Sd chosen uniformly 
and independently at random in Z N * and mod p) for all i, the problem 

is to recover p. Our algorithm uses the orthogonal lattice theory of [20] to obtain 
several small lattice vectors. Moreover, we also use the extension of Nguyen and 
Shparlinski [19] if the distribution of the s, is not necessarily perfectly uniform 
using the discrepancy notion. Indeed, if we note |s| p = minf, e z |s — bp\ for any 
integer s, the values s t in the lattice are such that |.S;| p < p/2 e and are thus not 
uniformly distributed in Z p . If N is a 1024-bit modulus, then the results of the 
HNP say that with d = 64 and £ = 9, N can be factored. We get similar results 
with our algorithm. 

Finally, contrary to the lattice based algorithm used by Boneh, Durfee and 
Howgrave-Graham [5] , our factorization algorithm uses an oracle. In some cases, 
this oracle can be found in practical implementations. For example, if the pseu- 
dorandom generator of the nonces used in Esign implementation is biased such 
that the MSBs can be learned, then we can break the signature scheme by factor- 
ing the modulus. In this application, the secret modulus is a composite number 
pq and N = p 1 2 q. This paper can be seen as an extension of previous attacks 
on signature schemes, based on the discrete log such as DSA in [19,16], to some 
factorization based signature schemes. 

The results in this paper were independently discovered, but are of a similar 
vein to those found in the Esign technical review [15]. 

2 Description of Esign 

Esign is a signature scheme proposed by Okamoto and Shiraishi in 1985 [23]. It is 
based on modular computations with special form modulus. The main advantage 
of Esign is its efficiency. Compared to RSA or EC based scheme, Esign is several 
times faster in terms of signature and verification performance. 

Let N = p 2 q a 3/c-bit integer, with p and q two primes of roughly the same 
length. The secret key consists in the two fc-bit primes p and q. The public key 
is ( N , e) , where e is an integer larger than 4. The scheme uses a cryptographic 
hash function H to compute (k — l)-bit long message digests. The signature of 
a message M is performed as follows: 

1. the message M is first hashed into H(M). We denote by y the integer corre- 
sponding to the 3fc-bit string 0\\H (M)\\0 2k , where 0 2k denotes the concate- 
nation of 2k null bits, 

2. An integer r is randomly chosen in Z* ? , 



496 Pierre-Alain Fouque et al. 


3. Compute: 

(a) z = y — r e mod N, 

( b ) fel’ 

(c) «q = u>opq — z. If W\ > 2 2/c_1 , then come back to step 2, 

(d) u = wo(er e “ 1 )~ 1 mod p, 

(e) s = r + upq, 

4. Return s as a signature for M. 

Note that in the rest of this paper, we often write signatures as the sum of the 
random nonce r and a multiple u x pq of the secret key pq. 

To verify if a signature s is valid for the message M, a verifier simply checks 
if the k most significant bits of s e mod N are equal to 0\\H(M). The verification 
algorithm is consistent since: 


s e = (r + upq) e mod N 
= r e + er e ~ 1 upq mod N 
= (y — z) + wo pq mod N 
= y + w i mod N 

Since w\ < 2 2fc_1 , and N is exactly 3 k bits long, the k most significant bits of 
s e mod N are those of y, i.e. 0|| H(M). 

The security of Esign is based on a variant of the RSA problem which con- 
sists in computing modular e-th roots. More precisely, even the computation of 
approximations of such roots seems to be difficult. The Approximate e-th Root 
(AER) problem is formally defined as follows: 

Given a modulus N = p 2 q, an exponent e > 4 and y £ h* N , find x £ 7 j* n 
such that x e £ [y,y + 2 2fc-1 ]. 

The knowledge of the factorization of N gives an efficient solution to this prob- 
lem. Without p or q, this problem is supposed to be hard. The AER assumption 
is that the AER problem is intractable. 

The initial scheme proposed in [23] was based on the exponent e = 2. This 
version has been cryptanalyzed the same year by Brickell and DeLaurentis in [8] . 
The cubic scheme has also been broken using lattice reduction (see in particu- 
lar [9,13,26]). However, for e > 4, no attack has been reported for the moment. A 
potential way to break the signature scheme is to factor the modulus N and then 
to recover the secret key. This constitutes a total break of the scheme. Note that 
if the random value r is compromised for just one signature, the factorization 
can be easily recovered. Indeed, since s = r + upq, if r is known, then the GCD 
of the modulus N = p 2 q and s — r reveals pq. 

We also notice that the knowledge of r e mod N allows to recover the prime 
factors p and q. Indeed, s e can be written as r e — er e ~ 1 upq mod N and the 
GCD of N and s e — r e mod N gives pq. The secrecy of the random values is 
consequently a crucial issue for Esign. 
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Moreover, the scheme with e > 4 and e prime with <f>(N) = p(p — l)(g — 1), 
is provably secure in the random oracle model. More precisely, it is proved se- 
cure against existential forgeries in Single Occurrence Chosen Message Attacks 
scenarios, under the AER assumption (see [25]). An adversary querying a sig- 
nature oracle for messages of his choice, but with the restriction that a message 
cannot be submitted twice to the oracle, cannot forge a signature for a message. 
Otherwise, he can solve the AER problem, supposed to be intractable. Extend- 
ing the proof to the stronger adaptive chosen message attacks model is an open 
problem. Thus, two different ways have been proposed to make Esign provably 
secure in the strong sense [14]. The first method, called Esign-D, is determinis- 
tic: the random nonce r is generated from the message to sign and an additional 
secret string, included in the private key. The second one, called Esign-R, uses 
another random nonce p, given as part of the signature, to generate the hash of 
the message as H(M\\p). In the following, the attacks we present are not cho- 
sen message ones, but are based on flawed implementations. Hence, they do not 
depend on the version used. So without lost of generality, we focus on the first 
scheme described above. 

3 Lattice Based Attacks 

In this section we first recall some basic facts about lattices and reduction algo- 
rithms. Then, we detail how to use lattice reduction in order to factor modulus 
such as N under some assumptions on the random data used in Esign. 


3.1 Lattice Reduction 

Notations. Let N = p 2 q an Esign modulus. Then any integer s in Z N can be 
written as s = r + upq with 0 < r < pq and 0 < u < p. 

Definitions. In the following, we denote by ||x|| the Euclidean norm of the vector 
x = (aq, . . . , Xd+i), defined by ||x|| = i x i- Let Vi, . . . ,v d , be d linearly 

independent vectors such that for 1 < i < d, Vi e Z d+1 . We denote by L, the 
lattice spanned by the matrix V whose rows are vi, . . . , v d . L is the set of all 
integer linear combinations of Vi, . . . , v d : 

L= |5>vi, aez 

Geometrically, det(L) = det(E x V T ) is the volume of the parallelepiped spanned 
by Vi, . . . , v d . The Hadamard’s inequality says that det(L) < ||vi|| x . . . x ||v d ||. 

Given (vi, . . . , v d ) the LLL algorithm [18] will produce a so called “reduced” 
basis (bi, . . . , b d ) of L such that 

||bi|| < 2( d - 1 )/ 2 det(L) 1/d 


(1) 
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in time 0(d 4 log(3#|) where M = maxi<j< d ||vi||. Consequently, given a basis of 
a lattice, the LLL algorithm finds a short vector bi of L satisfying equation (1). 
Moreover, we assume in the following that the new basis vectors are of the same 
length and also have all their coordinates of approximatively the same length. 
Indeed, a basis for a random lattice can be reduced into an almost orthonormal 
basis. Therefore, ||6j|| « ||6i|| for 1 < i < d, and so ||fy|| d ~ det(L). 


3.2 Lattice-Based Factoring Algorithm 

In this subsection, we present a lattice technique to factor a modulus N = p 2 q, 
where p and q are two fc-bit primes, given an oracle 0( tPq that, on input s G 
Zjv, returns the £ MSBs of s mod pq. We will see in section 4 that in practical 
applications it is sometimes possible to realize such an oracle. In the following 
we denote by n = 3k the bit length of N. 

Let s £ Zjv be an integer smaller than N. If an 0/ pq oracle is available, let 
us query the £ most significant bits of s mod pq-, we denote by t the answer of 
the oracle. Then, s = s — t x 2 2k ~ e may always be written as r + upq with 0 < 
r < pq/2 f - and 0 < u < p. Finally, after d queries to the oracle, we may consider 
that we know d integers Sj € Zjv such that s, = r, + Uipq with 0 < r, < pq/ 2* 
and 0 < iq < p. However, the r, and u, values are unknown. Our objective is to 
recover pq. 

First we note that if we are able to recover one of the iq, then recovering 
the factors p and q of N can be efficiently done. Indeed, we suppose first that 
the recovered Ui value is larger than p/2 e . This occurs with probability 1 — 1/2* 
and if this is not true, we can recover another Ui until this event occurs. Thus, 
we have p/2 e < Ui < p and we can write Sj/tq = Ti/ui+ pq where r^/ui is at 
most k bits. Consequently, the k most significant bits of Si/ui are those of pq. 
We denote by A the integer matching pq on its k MSBs and zeroing the k least 
significant bits. The 2fc-bit value A is known and we can write pq = A + a where 
a < 2 k is unknown. Finally, since N=pxpq=px (A + a), we have: 


-r =P+ ~r 


(2) 


where 0 < ^ < 2, since pa is at most of 2k bits and A is exactly 2k bits. Thus, 
p equals either _N/A\ or _N/A\ — 1. 

In the following, we present an algorithm to recover all the fq. In a first 
phase, the algorithm looks for small linear integer combinations of the s t using 
the LLL algorithm. Then, in a second phase, we solve a linear system to recover 
the Ui . In the sequel, we describe these two phases. 


Finding Small Linear Integer Combinations of the Ui. The following lemma 
shows that searching a small linear integer combination of the s* with small 
coefficients is sufficient to find a null linear combination of the Uj . 

Lemma 1 . Let N = p 2 q be a n-bit modulus with p and q of roughly the same 
length. Let si,...,s<j be d random integers in Zjv, = r, + u^pq such that 
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If there exist d integers Ci, for 1 < i < d, such that c = maxi<j<d|cj| < 2 e /d 
and | Yli = i °i s i\ < PQ> then Ylt= i °i u i e { — 1, 0, 1}. 

Moreover, if c < 2 e /2d and \ i c i s i\ < PQ/2> then i c i u i = 0- 

Proof. By definition, we have i c » s * = Y!i= i ^h+wEti c,Uj. Thus by the 
triangle inequality, we can write: 

m|e c ^|^|e c ^|+|e c ^| w 

Moreover, since c <2 e /d and | r,; | <pq/2 e for 1 < i < d, then 

|$>^| - dx (7 X P) - pq 

Now we know that | Yh = 1 c * s *l < PQ- Then from equation (3), pq\ J2i=i c % u i\ < 
2 pq and | X^i=i c i u i\ < 2. This proves the first part of the lemma. The second 
part of the lemma can be easily deduced from the previous computations. □ 

Therefore, we look for small integer linear combination of the s,-, i.e. such that 
I Si=i c i s, i \ — PQ an< l c < 2 t/d. From previous lemma, finding such a combination 
gives a linear equation in the Ui variables. 

Now we present a lattice-based method to recover the coefficients of a small 
combination of the s,. Suppose K is an integer less than N, whose exact value 
will be defined later. We consider the following d x (d + l)-matrix: 



The size of the original basis vector is approximately N since the s t are integers 
in Zjy. In order to estimate the size of a small vector returned by LLL, we upper 
bound the volume of the lattice L, spanned by the rows of M. In the following, 
we upperbound the determinant of the lattice L and show that 

&et{LY = K™-\K* + Y' S *) 

JNi 

Since L is not a full lattice, its volume is the square root of the determinant 
of the Gramian matrix [12], M x M T . Thus, we have: 
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s 2 + K 2 Si x s 2 Si 
s 2 x Si s 2 + K 2 s 2 


det(L) 2 = det (Af x M T ) = 


S3 X Si 


S 3 


«2 


«3 

S3 


Si X S d 


s 2 X s d 


Sd x SI 


Sd— 1 X Sd 
Sd x Sd— 1 Srf + if 2 


We can factor the first row by si, the second by s 2 , . . s d and similarly for the 
columns. Therefore the determinant can be written as 


det(L) 2 = IJs 2 


1 + K 2 /s\ 1 1 ... 1 

1 l + K 2 /s 2 2 1 ... 1 

1 1 : 

: 1 
1 1 1 + K 2 /s 2 d 


The last determinant can be computed exactly and is equal to 


n^+E n 

1 1=1 j=lj^i 


& 

s 2 


and consequently, 

det(L) 2 = K 2d ~ 2 (K 2 + sf) 

Therefore, since for all i, |sj| < N and K < N, the size of the small vector 
returned by LLL on this lattice is less than 

2 (d-i)/ 2 x ( d+ l)l/2d x 

For the present discussion we ignore factors like 2( d_1 )/ 2 dependent only on the 
size of the matrix. Indeed, in practice, LLL returns a short vector much smaller 
than theoretical upperbounds. Consequently, we can assume that the shortest 
vector returned by LLL is of length about ( d + 1) 1 / 2d x K a. N a . 

Now we fix K = |" .V ’• aftf > ) /2 j . As a consequence, a simple computation 
shows that, in this case, the length of a short vector returned by LLL is less than 

(d+ l) 1/2d x N» ™ 

which is less than pq since y/d + 1 <C N 1 / 3 . Therefore a short vector has all its 
coordinates smaller than pq. 
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In the following, we show how a short vector bi returned by LLL allows us 
to determine the coefficients of a short linear combination of the s,;. Due to the 
form of the matrix M, bi can be written as 

b i= -c d ) (4) 

where the c, are integers. We denote by c the maximum of the | c,; | . If bi is a 
short vector returned by LLL, then all its coordinates are smaller than pq. In 
particular, we have Kc < pq. Consequently, c < 2pq/N^~ 3 (<*-u . Furthermore, if 
t > gpqj| + log(d) + 1, then 


2N 2/s 

C < 5 1 

.V :i "(a f 


Therefore, since Ei=i c » ■ s-i < pq and c < 2 l /d, then lemma 1 implies that 

Eli CiUi€ {-1,0,1}. 

As a consequence, if we have d random values s t = r,; + Uj/pq, where | r, | < 
pq/2 e and l > |" jpzyy + log(d) + lj , then the shortest vector returned by LLL 
gives us the coefficients of a very small combination of the u% and we finally have 
a linear equation in the tq variables. 

However, one equation is not sufficient to recover at least one tq. In the 
second phase of our algorithm, we show that in fact we can obtain d very small 
linear combinations of the tq. 


Recovering the Ui. The vectors of the new lattice basis have the property to 
be all of about the same length. Consequently, each vector bi of the new basis 
gives a small integer combination of the s, and so of the u t . Experimentally, we 
observe that the linear combination of the Uj is null except for the last one which 
is equal to ±1. 

Thus, each short vectors returned by LLL gives a small linear combination 
of the Si. The matrix returned by the LLL algorithm can be expressed as C x M 
where 

/ Cl,l Ci )2 . . . Ci, d \ 


\Cd, 1 Cd , 2 • • • Cd,d) 

Each row of C contains the coefficients of a small linear combination of the 
Si . The matrix C is invertible since its determinant is ±1 and thus solving the 
system u • C T = (0, . . . , 0, 1), where u = («i, . . . , «<j) allows to recover the Wj. 
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Once the tq are obtained, recovering half of the bits of pq is easy by computing 
|^J for one of the value s». Then p is computed according to equation 2. Finally, 
we have the following theorem: 

Theorem 1. Let N = p 2 q be a n-bit modulus. Given an oracle Op pq that 
on input s £ Zjv, returns the £ most significant bits of smodpg where £ > 
|" 3 (d—i) H* l°g(^) + lj an d d < n, there exists a probabilistic polynomial-time 
algorithm in n to factor N from d random and independent numbers s in Z jv. 

3.3 Extending the Attack to the Least Significant Bits 

In this paper, we focus on the importance of MSBs confidentiality. However, such 
a presentation has been chosen for simplicity reasons since the same analysis can 
be done with the least significant bits. More precisely the knowledge of the £ least 
significant bits of Si mod pq, for d values Si £ Z,y, also allows us to factor N 
for the obvious reason that the knowledge of the least significant bits can be 
reduced to the knowledge of the most significant bits, as explained below. 

Consider a 3/c-bit Esign modulus N = p 2 q. A value S randomly chosen in 
Z jv can always be written as S = r + upq where 0 < r < pq and u < p. 
Assume now that the l LSBs of r, denoted by ro, are known. Then, the £ LSBs 
of S — 7*o mod pq = r — ro are zero. We now denote by n the (2k — tj-bit value 
(■ r — ro)/2 e . Let a be the inverse of 2 l mod N. We can note that a is also the 
inverse of 2 f modulo pq. Consequently, we can compute 

a x (S — ro) = a x (r — ro) mod pq 

= a x 2 e x ^ 2 /°^ mod pq 
= (1 mod pq) x r± mod pq 
= n mod pq 

Therefore, s = a(S — ro) mod N can be written as Cf/T- u i /«/ for u\ < p and 
ri < pq/2 e . Thus s is a candidate input for the matrix M of the algorithm of 
the previous subsection. 


3.4 Application to RSA Modulus 

It is worth noticing that this algorithm is independent of the special form N = 
p 2 q of the modulus. It also works for any RSA modulus N = pq as soon as: 


£> 


I 2(d — 1) 


b log(d) + 1 


If Si e Zjv is written as .s, = '/y + UiP, for r, : < p/2 e and (q < q, then we can 
recover the iq and computing p from [ J . 

As a consequence, if there exists an oracle 0( tP which on input S £ Z N 
returns the £ most significant bits of S mod p where p is a factor of the modulus 
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N, then we can factor N in polynomial time in log (TV). Therefore the problem 
of finding the £ MSBs of S mod p for d different random and independent values 
S e Zjv, is equivalent to the factorization problem. 

4 Partially Known Nonces in Esign Signature Scheme 

In the following we describe some potential flaws in practical implementations 
of Esign. The main idea is to notice that the secrecy and the randomness of all 
the nonces is a crucial security point: the knowledge of only a few bits of these 
random values is enough to efficiently recover the secret signature key. 

Let N = p 2 q an Esign modulus where p and q are two /e-bit primes such that 
q <p. The signature scheme is fully described in section 2. 

We first consider an attack on Esign when the random nonces are not full-size. 
Suppose the random number generator is biased so that the most significant bits 
of the random values are always zero. We show how to efficiently factor the mod- 
ulus from a small set of signatures by using the technique described in section 3.2. 
Precisely, suppose the random number generator produces nonces smaller than 
pq/ 2 e , for an integer £ > 1, instead of randomly drawing uniformly distributed 
integers in the interval [0 ,pq[. We know that all the generated signatures may 
be written as s = r + upq where r is the random nonce. Thus, a signature is a 
noisy multiple of the secret factor pq. If the number £ of null most significant 
bits of r is sufficiently large, then we can factor N by recovering p with the 
technique presented above. The attack goes as follows: suppose we have a set of 
d Esign signatures for any messages. Each can be written as = r, + u t pq, 
for 1 < i < d, and where r, < pq/2 e and u t < p. As shown in section 3.2 we can 
recover the u, by reducing a lattice with the LLL algorithm. As soon as we have 
£ > .i) i~ log(d) + lj , where n is the bit size of the modulus N. Then we 

can write: 

~ = ~ + M 

We remark that |^J is at most a fc-bit integer. Thus, we can finally recover 
p according to equation 2. Experimented results are provided below. The tests 
have been run on an Intel Pentium IV, XEON 1.5 GHz, with the Shoup’s library 
NTL ([24]). For each modulus length n, we give the length of pq (that is also 
the expected length for the random r), the effective length of the nonce r, the 
experimental and theoretical bounds for £, and the time needed to recover p and 
q. The number of required signatures is d. 

We observe that the experimental bound for £ is better than expected. This 
can be simply explained by the good performances of the LLL algorithm. In 
practice, this algorithm works indeed better than expected and the vectors re- 
turned are shorter than the provable upper bounds. Another explanation can 
be made for this fact: in section 3.2, we have used a theoretical bound on the 
sum Yli=i c i s i — dcN. This bound has then been used to find the theoretical 
bound on £. However, in practice, the sum JV=i c i s i is approximately Vd-cN on 
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n = 3k 

2k 

log(r) 

experimental 
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theoretical 

bound for i 

d 

time to factor 

512 

340 

335 

5 

8 

55 

2 min 10 

768 

512 
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9 

55 

2 min 20 

1024 
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674 

8 

11 

56 

2 min 30 

1152 

768 
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8 

11 

57 

3 min 

1536 

1024 

1013 

11 

14 

57 

4 min 10 

2048 

1364 

1349 

15 

17 

57 

5 min 50 


Fig. 1. Experimental results on Esign with partially known nonces. 

average. Thus, this gives a smaller bound on t. the algorithm works as soon as 
t > |" + log 2 ^ + lj . This gives results closer to the experimental results. 
This bound is given in figure 1. 

Hence, if the random number generator produces nonces in an interval smaller 
than expected, then recovering the secret key can be made from a small set of 
signatures, for any messages. However, even if the random values are generated 
in all the interval [0,pg[, the difference between two consecutive nonces should 
not be too small. Indeed, in this case, the same attack applies: considering the 
differences Sj+i — s, whose most significants bits modulo pq are small, gives the 
same results. 

Thus, the random number generator is a crucial security point and the nonces 
should be generated uniformly and independently in the range [0 ,pq[. If we now 
consider physical attacks on probing or electromagnetic analysis, the attack can 
also be mounted as soon as the observation of the l MSB or LSB of the random 
nonces is feasible. This may be realistic using smart cards. 

5 Other Potential Weaknesses in Esign Implementations 

In [2], Bellare, Goldwasser and Miccianco have pointed out that using linear 
congruential generator in DSS signature scheme is totally insecure. The secret 
key can be easily recovered in this case, and even if the outputs of the generator 
are truncated. As for DSS, using a linear congruential generator (LCG) with 
public parameters leads to insecure implementations of Esign. 

Such a generator is parameterized by integers a, b, M and is based on a linear 
recurrence: r.; + i = ar-, + b mod M. The initial seed ro is the secret. We consider 
the security of Esign in this case and we show that the knowledge of only two 
signatures allows to recover the secret signature key. Suppose that Esign is used 
with the pseudo-random generator defined by vy + i = ar, + b mod M where M is 
a secret multiple of pq, less than N, and a and b are public integers in Z M . The 
initial state ro, that should not be reset, is kept secret as part of the private key. 
The modulus M is chosen to be a multiple of pq so that after reduction modulo 
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pq in the signature generation, the generated random values are still uniformly 
distributed in the range [0 ,pq[. Such a choice seems to be the most natural one. 

For any positive index i, we have s,; = r t + uipq. Thus the following equality 
holds: 


= fj+i + u i+ ipq = ((or, + b ) mod M) mod pq + u i+i pq 

Thus, since a and b are public and M is a multiple of pq, one can compute 
Sj + i — asi — b which is a multiple of pq. Its GCD with the modulus N is pq, and 
the secret key is found. 

Note that this can also be applied even if the parameter b is secret. With only 
four signatures s*, Sj+i, Sj and Sj+i, the secret factor pq can also be recovered. 
Indeed, it suffices to compute (s<_i — Sj) — (sj+i — Sj) = («,+i — tq + Uj+i — 
Uj + K)pq where if is an integer. The GCD of N with this difference reveals pq. 

Finally, using a linear congruential generator is insecure in this case. 

6 Conclusion 

In conclusion we have shown in this paper that Esign must be carefully imple- 
mented since like many other public key cryptosystems, security of ephemeral 
keys is of crucial importance. We also insist on the idea that physical techniques 
like probing or electromagnetic analysis can be very efficiently combined with 
more theoretical algorithmic cryptanalysis methods, for example based on LLL. 
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Abstract. One-time proxy signatures are one-time signatures for which 
a primary signer can delegate his or her signing capability to a proxy 
signer. In this work we propose two one-time proxy signature schemes 
with different security properties. Unlike other existing one-time proxy 
signatures that are constructed from public key cryptography, our pro- 
posed schemes are based one-way functions without trapdoors and so 
they inherit the communication and computation efficiency from the 
traditional one-time signatures. Although from a verifier point of view, 
signatures generated by the proxy are indistinguishable from those cre- 
ated by the primary signer, a trusted authority can be equipped with 
an algorithm that allows the authority to settle disputes between the 
signers. In our constructions, we use a combination of one-time signa- 
tures, oblivious transfer protocols and certain combinatorial objects. We 
characterise these new combinatorial objects and present constructions 
for them. 


1 Introduction 

In general, digital signatures can be divided into two classes. The first class in- 
cludes one-time signatures and their variants based on one-way functions without 
trapdoors. These schemes can be used to sign a predetermined number of mes- 
sages only, we will call them one/multiple- time signature schemes (examples of 
such schemes includes one-time signatures by Lamport [16] and Rabin [27] , but 
also multiple-time signatures by Rohatgi [32], by Reyzin and Reyzin [30], and 
by Pieprzyk, Wang and Xing [26]). The second class of schemes is based on 
public-key cryptography and they can be used to sign an unlimited number of 
messages. The RSA [29] and the ElGamal [10] signatures represent this class. 

One-time signatures were first proposed by Rabin [27] and Lamport [16] and 
are based on the idea of committing public keys to secret keys using one-way 
functions. For more than 25 years, various variants of Rabin’s schemes have been 
proposed and investigated by many researchers (see, for example, [3,4,11,16,20]). 
Indeed, one-time signatures have found many interesting applications [7,21], in- 
cluding on-line/off-line signatures [9], digital signatures with forward security 
properties [1], broadcast authentication protocols [25] and stream-oriented au- 
thentication [32] etc. 

C.S. Laih (Ed.): ASIACRYPT 2003, LNCS 2894, pp. 507-522, 2003. 

© International Association for Cryptologic Research 2003 
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One of the main advantages of one-time signatures is their reliance on one- 
way functions without trapdoors that can be implemented using fast hash func- 
tions such as SHA-1 or MD5. The resulting signatures are the order of magnitude 
faster than signatures based on public cryptography. With the advent of low- 
powered, resource-constrained, small devices, such as cell phones, pagers, Palm 
pilots, smart cards etc. in recent years, one-time signatures have attracted more 
and more attention, as an attractive alternative to the traditional signatures 
based on public key cryptography (see, for example [15,25,30]). 

Although digital signatures have been successfully applied to ensure the in- 
tegrity, authenticity, and non-repudiation for the electronic documents, standard 
signatures (both based on public-key cryptography and on one-way functions) 
alone are too inflexible and inefficient to handle many practical requirements in 
new applications. Thus, many variants of the standard signatures with additional 
functionalities have been proposed. These include blind, undeniable, and group 
signatures to mention a few. Motivated by applications that require the power 
to sign to be transfered from one person to another, Mambo et al [19] proposed 
proxy signatures. Proxy signatures allow a designated person, called a proxy , to 
sign on behalf of a primary signer. A proxy signature convinces a verifier that 
the primary signer has delegated the signing power to the proxy and that the 
proxy has signed the message. 

To our best knowledge, all the previously published proxy signatures are 
based on public-key cryptography. Most of the proxy signatures can be viewed 
as modifications of the ElGamal signature and their security typically relies 
on the assumption of the difficulty of the discrete logarithm problem (the DL 
assumption). In addition, these proxy schemes can generally be used for signing 
multiple messages and for multiple proxy signers. 

In this paper, we will study one-time proxy signatures (or simply OTP signa- 
tures). As the name suggests, we consider one-time signatures with the additional 
proxy functionality. It should be noted that the notion of one-time proxy signa- 
ture itself is not new, and it has been proposed by Kim et al [15] in a different 
context. Their signature is a variant of the ElGamal signature (or more precisely, 
a variant of one-time fail-stop signature [13]) and its security rests on the DL 
assumption. The motivation behind their work is to limit the power of the proxy 
signer so the proxy signer can sign once only. In contrast, our motivation is to 
enable the primary signer to delegate a proxy to sign in the applications where 
one-time signatures (based on one-way functions) are used. 

To define our proxy signatures, we employ two basic cryptographic primitives 
as the building blocks. The first one is a one-time (or multiple-time) signature 
primitive based on one-way functions. The second building block is an obliv- 
ious transfer (OT) primitive. We then combine these primitives with certain 
combinatorial objects to obtain our OTP signatures. We formulate the general 
framework for proxy signatures, define their security goals and attacks against 
them. We then show that the efficiency of any OTP signature can be measured 
by the properties of the underlying combinatorial objects. We introduce proxy 
patterns that characterise the properties of these OTP signatures. Next, we give 
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constructions for the desired proxy patterns, using polynomials over finite fields 
and error-correcting codes, and link them with other combinatorial structures 
(such as Steiner systems). 

The rest of the paper is organised as follows. In Section 2, we introduce our 
model of one-time proxy signatures. In Section 3, we consider candidates for the 
two building blocks that can be used to construct one-time proxy signatures. In 
Section 4, we propose a simple scheme for one-time proxy signatures and later 
we describe a basic scheme and analyse its security. In Section 5, we analyse the 
basic scheme and and its security against the swallow attacks. Finally, Section 
6 concludes the paper. 

2 The Model 

A proxy signature enables the primary signer to delegate his/her signing capa- 
bility to a proxy signer so the proxy signer can generate a signature on behalf of 
the primary signer. Mambo et al [19] introduced the concept of proxy signature. 
They defined three classes of delegation: full delegation, partial delegation and 
delegation by warrant. A full delegation scheme assumes that the primary signer 
and the proxy signer have the same secret key, so the proxy signer can sign any 
message that is indistinguishable from the signature generated by the primary 
signer. A signature with partial delegation allows the primary signer to delegate 
the power of signing to a proxy in such a way that the signatures generated 
by the primary and proxy signers are different. This is normally done by mak- 
ing verification algorithms different for primary and proxy signatures. In other 
words, proxy signatures are distinguishable from primary signatures. A signa- 
ture with delegation by warrant requires an additional piece of message (called 
a warrant) that determines the proxy signer that is delegated by the primary 
signer. Signatures with full delegation do not provide non-repudiation while sig- 
natures with partial delegation do. Signatures with delegation by warrant can 
be implemented using double signatures and therefore, they are not as efficient 
as signatures with full or partial delegations. 

In this paper, we are interested in one-time signatures that allow full delega- 
tion with an added feature that allows to trace the authorship of the signature 
(if both proxy and primary signers agree to settle a dispute). Being more pre- 
cise, we are going to consider proxy signatures with full delegation, in which the 
private signing key of the proxy signer is derived from the private key of the 
primary signer. In particular, we restrict our attention to signatures that can be 
used once only. 

Informally, a one-time proxy signature scheme (OTP signature) includes two 
parties: a primary signer and a proxy signer together with the following three 
algorithms. 

Key Generation: For a given security parameter, it outputs a pair of private 
and public keys for the primary signer and a private key for the proxy signer. 
The key generation may involve a two-party protocol run between the pri- 
mary and proxy signers, or a multi-party protocol that is run amongst three 
parties: the primary signer, the proxy, and a trusted authority. 
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Singing: For an input that consists of a message to be signed and the private 
key of the signer (either primary or proxy), it outputs a valid signature. 
Verifying: For an input that includes a pair (a message and a signature) and 
the public key of the primary signer, it outputs either accept or reject. 

In the following, we consider the basic security requirements imposed on OTP 
signatures. If an OTP signature satisfies the requirements, it is called secure. 

Unforgeability: It is infeasible for any third party (that has not been involved 
in signing) to forge a message/signature that passes the signature verifi- 
cation. This means that if a signature has been generated by the primary 
signer, no body (including the proxy) can forge a message/signature. Also if 
the signature has been generated by the proxy, then no body (including the 
primary signer) can forge a message/signature. 

Verifiability: For a valid signature, a verifier is convinced that the primary 
signer has agreed to sign a message (either the primary signer has signed it 
or the proxy has). 

Traceability: In case of a dispute between the primary and proxy signers, there 
exists a tracing algorithm that reveals the identity of the actual signer. That 
is, the algorithm guarantees that it should be infeasible for 

— the primary singer to sign a message and to claim later that it has been 
signed by the proxy signer. 

— the proxy signer to sign a message and to claim later that it has been 
signed by the primary signer. 

We note that the model of our OTP signature is slightly different from previ- 
ous proxy signatures in the sense that there is only one public key of the primary 
signer for the signature verification. Thus, from a verifier point of view, signa- 
tures generated by primary or proxy signers are indistinguishable (like in the 
full delegation). However, the tracing algorithm guarantees the non-repudiation 
property for the primary signer and the proxy singer. Thus, unlike in full dele- 
gation signatures, the primary singer and the proxy signer have different private 
keys for signature generation, and in case a dispute occurs between the two po- 
tential signers, the tracing algorithm is called to resolve it. We argue that the 
indistinguishable between the signatures by the primary signer and the proxy 
signer is an interesting property, for example, it can be used to protect the pri- 
vacy of the actual signer. However, in this paper we are not going to explore it 
beyond this point. 

3 Building Blocks 

In this section, we review two cryptographic primitives that are needed in the 
our constructions of proxy signatures. 

3.1 One-Time Signature 

One-time signatures are based on one-way functions. Rabin published the first 
one-time signature based on a private-key encryption or a one-way function 
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without a trapdoor [27] , requiring interaction between the signer and the verifier. 
Lamport [16] gave a non-interactive one-time signature using a one-way function. 
The idea of Lamport is as follows. For a given one-way function /, one selects 
two random strings xq,x\ as the secret key, and publishes f(x o) and /(aq) as 
the public key. Then the single-bit message b £ {0, 1} can be signed by revealing 
Xb . Various modifications of the Lamport signature with improved efficiency and 
functionalities have been proposed (see, for example [2,4,5,9,12,14,21,25,30,32]). 

As our building block, we are going to use a one-time signature defined as 
follows. Let 6, t, k be integers such that Q) > 2 b . Let T denote the set {1,2,..., t} 
and Tk be the family of fc-subsets of T. Let S be a one-to-one mapping from 
(0, 1, . . . ,2 b — 1} to Tk such that for a message to, S' (to) assigns a unique k- 
element subset from Tk- Let / be a one-way function operating on f-bit strings 
{£ is a security parameter). 

The signature scheme consists of three algorithms: key generation , signing 
and verification. For a given security parameter £, the key generator chooses 
at random t strings s,; of the length £ bits and creates the secret key SK = 

($i St). The public key is the image of the secret key obtained using the 

one-way function /, i.e., PK = (m, . . . ,v t ) such that v\ = /(si), . . . ,v t = f(st). 

To sign a 6-bit message to, the signer interprets to as an integer between 0 
and 2 b — 1 and computes S(m) = {ii , . . . , ik} e Tk- The value s tl , . . . , s ik is the 
signature of to. 

To verify a signature (.s^, s ' 2 , . . . , s' k ) on a message to, the verifier again in- 
terprets to as an integer between 0 and 2 b — 1 and computes {i\ , A} as 
the m-th fc-element subset of 7a- ■ Finally, the verifier checks whether /(s{) = 
v n ....,f(4)=v n . 

Definition 1. We call the above one-time signature scheme a ( t,k ) one-time 
signature scheme and denote it by O = (T, S, /), or simply by O. The parameters 
(■ t , k) specify efficiency of the signature. 

Note that the Bos-Chaum one-time signature scheme [2] is a special case of 
the (f, k) scheme in which k = t/2. Note also that for a (f, k) one-time signature 
O = (T. S. /), the most expensive part of computation is the implementation 
of the mapping S. In [30], Reyzin and Reyzin present two algorithms for im- 
plementation for S with computation costs of 0(tklog 2 t) or 0(k 2 log flog k). 
In [26], Pieprzyk et al give more efficient implementations for S through the 
explicit constructions of S using polynomials over finite fields, error-correcting 
codes, and algebraic curves. 

3.2 Oblivious Transfer (OT) 

An oblivious transfer (OT) refers to a two-party protocol executed between a 
sender S and a receiver R. The goal of the protocol is to transfer the knowledge 
about an input string held by the sender to the receiver in such a way that the 
receiver learns some part of the input but the sender cannot figure out which 
part of the input is now known to the receiver. Consider a 1-out-n oblivious 
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transfer (OTf) protocol. The sender S has n secrets (strings) rni,rn 2 , . - . ,m n , 
and is willing to disclose one of them ( m a ) to R for some index a chosen by 
R. However, R does not want to reveal its choice of the index a to 5 and at 
the same time, S does not want R to gain any information about other secrets 
rrii, i ^ a. In general, we may have a /c-out-n oblivious transfer (OTg), in which 
R may choose k indices out of n. 

The concept of oblivious transfer has been introduced by Rabin in 1981 
[28] and it has been extensively studied (see, for example, [8,22,23]). Here is 
an example of OT" proposed recently by Tzeng [33], which is among the most 
efficient OT protocols proposed so far. Let g and h be two (public) generators 
in a (/-order group G q , where q is prime. Assume that the secret input of S 
is rni,TO 2 , . . . ,m n £ G q , and the choice of R is a, 1 < a < n. The protocol 
proceeds as follows. 

1. i? — >• S : y = g r h a for a random r £ Z q , 

2. S randomly chooses n elements k, £ Z q and 

S^R: Ci = (g ki ,m i (y/h i ) k *), 1 <i<n. 

3. R computes m a = b/a r , assuming c a = (a, b). 

It is proved in [33] that in the above OT" protocol, the confidentiality of the 
receiver choice is unconditionally secure and the confidentiality of un-chosen se- 
crets is at least as strong as the hardness of the decision Difhe-Hellman problem. 
As to computations required in the protocol, the receiver needs to compute 2 
modular exponentiations and the sender computes 2 n modular exponentiations. 

4 One-Time Proxy Signatures 

Our basic idea behind the constructions of OTP signatures is as follows. The 
primary signer generates n private/public key pairs for one time signatures, say 
( ski,pki ), . . . , (sk n ,pk n ). The proxy signer gains one of the n private keys, say 
ski i n such a way that the primary signer does not know, which key was obtained 
by the proxy signer, i.e., the primary signer does not know the index i. The 
primary signer publishes the public key pki , . . . , pk n in an authenticated way. 
The proxy signer uses ski to sign the message, which can be verified by anyone 
who knows the public key. Note that the verification of signatures generated by 
primary and proxy signers is the same. 

To prevent cheating by signers, a tracing algorithm has to be carefully de- 
signed. The algorithm should be run by a trusted authority and should identify 
the true signer with a high probability. Note that the oblivious transfer enables 
us to identify the true signer. To do this, the trusted authority always asks the 
proxy to sign the disputed message again. If the proxy is unable to produce a 
different signature it means that either the proxy really signed the message or 
the primary signer has applied the same secret key as proxy (this event happens 
with the probability 1/n). 
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4.1 A Simple Proxy Signature Scheme 

We present a simple and somewhat trivial scheme to illustrate the basic idea. 
Then we improve its efficiency using some combinatorial techniques. The scheme 
is based on a (f , k) one-time signature O = (T, S , /) and an oblivious transfer 
protocol OT[‘ (or OTJf), and it works as follows. 

Key Generation: It consists of the following three steps. 

— The primary signer randomly chooses annxf array A = (s i j) nxt as 
her private key. Each row holds t secret keys of an instance of the (t, k) 
one-time signature O. The public key is V = (vij) nxt , where v,j = f(sij) 
and / is the one-way function from O. 

— The primary and proxy signers execute an OT” (or OTJ!) protocol. At 
the end of the protocol, the proxy signer learns one row from A, say 
(sji, . . . , su), as his private key, but nothing more. The primary signer 
has no information about the index i. 

— The proxy singer applies / to (sa, . . . , so) and compares the results with 
the ith row of public array V. If the check fails to hold, the proxy exits 
the scheme and complains to the primary signer. 

Signing: The proxy signer applies the ith row of A, i.e., (.s-n , . . . , s tt ), as his 
private key of the one-time signature O and signs the message m. That is 
the proxy signer first computes S(m) = {ji, ■ ■ ■ ,jk} C {1, . . . ,t} and then 
reveals m and the signature S = {(s^ , . . . , Sij k ), i}. 

Verifying: This part follows the steps necessary to verify an instance of the 
(t, k) one-time signature. 

Security. We discuss the security requirements of the scheme. Obviously, un- 
forgeability and verifiability of the OTP signature follow directly from the un- 
forgeability and verifiability of the underlying one-time signature O. What we 
need to consider is the traceability of the true signer (in case of cheating attempts 
from either the proxy or the primary signer). 

Unforgeability against the primary signer: Assume that the primary singer wants 
to cheat. She generates a signature for a message m and later claims that it 
was generated by the proxy signer. Note that to sign m, the primary signer 
has to choose a row of A and to sign using the chosen instance of one-time 
signature. Suppose that she has chosen jth row of A. The generated signature is 
Sj = {(sjij, • • • , sji k ),j}, where S(m) = {ii, ■ ■ ■ ,ik}- The proxy signer can prove 
that the signature was not generated by him, by revealing another signature 
for m using his private key (s;i, . . . , s lt ). That is, he reveals the signature <5, = 
{(sjq , . . . , Su k ),i}, which shows that 5, Sj. As the proxy signer knows only one 
row of the private keys, he can only sign the message with one of the rows, so 
Sj must have been generated by the primary signer. The OT protocol provides 
unconditional security for the proxy signer and the probability of success of the 
primary signer is 1/n. 

Unforgeability against the proxy singer: Suppose that the proxy signer wants to 
cheat, he generates a signature, later denies it and claims that the primary signer 
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(or someone else) has generated the signature. His claim can be accepted only if 
he can generate a different signature for the same message. In other words, the 
proxy is able to produce two different signatures for the same message. This is 
impossible unless, he is able to break the OT protocol or to invert the one-way 
function. 

We stress that the tracing algorithm is called only if the dispute between the 
primary signer and the proxy signer occurs. The knowledge of a valid signature 
alone is not sufficient to identify the actual signer (the signature provides full 
delegation) . 

Efficiency. We look at the efficiency of the scheme. The signing and verifica- 
tion of the signature are exactly the same as the underlying one-time signature 
scheme, so could be very fast. The key generation requires n times costs of 
key generation for one-time signatures, plus the cost of running an OTf (or 
OT t n ) protocol. The length of public and secret keys increases n times as well. 
However, observe that the key generation, which is the most expensive part of 
computations, can be precomputed. Furthermore, an expensive OT protocol can 
be avoided if a third trusted party helps during the key generation. The private 
key of the primary signer can be discarded after the key generation. In the next 
section we propose methods to reduce the public key length. 

4.2 The Basic Proxy Signature Scheme 

To decrease the probability of successful cheating by the primary signer, it is 
required to increase the parameter n and consequently the number of rows in A. 
This causes that the simple proxy signature secure against a dishonest primary 
signer must have a long private/public key. We show that the simple proxy 
signatures can be converted into proxy signatures with shorter public keys using 
combinatorial techniques. 

Definition 2. Given a set X = {aq, . . . , xm} and an nxt array C = [ ] with 
entries from X. The array C is called a ( t,k,n,M ) proxy pattern, denoted by 
PP(t,k,n,M), for a ( t,k ) one-time signature if 

1. each row of C contains t different elements of X, 

2. any two distinct rows of C have at most k — 1 common elements, i.e., for 
any i / j, 

|{c i i,...,c it }n{cji,...,cj t }| < k. 

For a given PP(t,k,n,M), we combine it with a (t, k) one-time signature 
to construct an OTP signature that is a generalisation of the simple scheme 
presented above. Without the loss of generality, assume that C = (c^) is a 

PP(t, k, n, M) with entries taken from X = { 1 A / } and O = ( T , S, f) is a 

(t, k) one-time signature. Our basic proxy signature works as follows. 

Key Generation: It goes through the following three steps. 

— The primary signer randomly chooses M distinct values (si, S 2 , ■ ■ ■ , Sm ) 
as the private key (for example, each S; is an /'-bit string if the underlying 
one-time signature O is defined for the security parameter /'). The public 
key is V = (vi, . . . ,vm), where tq = f(si),i = 1 ,M. 
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- The primary and proxy signers execute an OT t M protocol. At the end of 
the protocol, the proxy signer learns the ith row of C, that is (s Ctl , . . . , 
s Cit ), as his private key, but nothing more. The primary signer has no 
information about the index i. 

— The proxy singer applies / to ffej, . . . , s Cit ) and checks the results with 
the corresponding components of the public key V. If the check fails, the 
proxy aborts and complains. 

Signing: For a given message m, the proxy signer applies his private key 
(s Cil , . . . , s Cit ) to the one-time signature O and signs the message. That is, 
the proxy signer first computes S(m) = {j i, . . . , jk } C {1, . . . ,t} and then 
reveals the signature 5 = { (s ^. , . . . , s Cijk ), i}. 

Verifying: It follows the verification of the ( t , k) one-time signature (applied 
to the appropriate instance of the one-time signature) in a straightforward 
manner. 

It is easy to see that the security of this scheme is similar to the security of 
the simple scheme. The traceability is guaranteed by the properties of the proxy 
pattern C, that is, any two rows will have at most k— 1 common elements. Since a 
signature requires the knowledge of k secret values of the private key, the proxy 
signer can resolve disputes by showing two valid signatures (corresponding to 
two different rows of C). 

The main advantage of the basic signature scheme is a reduction of the length 
of public key (and the corresponding private key) from nt values to M values. 
In the remainder of this section, we will give constructions for proxy patterns 
with small M and derive a bound on the minimal value for M. 


4.3 Constructions of Proxy Patterns 

It is easy to see that the simple signature uses a trivial PP(t, k, n, nt) for any 
k, 1 < k < t. By fixing k, as this is the case for the underlying ( k , t) one-time 
signature, we are able to construct a PP(t, k. n, M) such that M is significantly 
smaller than nt, and so to reduce the length of the public key. 

Assume GF(q) is a finite field with q elements and a\, ... ,at are t distinct 
elements from GF(q). We construct a PP(t,k,n, M) as follows. Consider a set 
X = {oi, . . . , a t ) x GF(q) and all polynomials of the degree at most k - 1 
over GF(q). Next write them as gi(x), . . . ,g q k(x). Note that there are q k such 
polynomials. Further define a q k x t array C = [ Cij ] with entries taken from X, 
so 

Gj = {aj,gi{aj)), for i = 1,2 ,...,q k ,j = 1,2, . . . ,t. 

Now we show that C is a PP(t, k, q k , qt). Indeed, for 1 <i< q k , the ith row of 
Cis 

((aii 9i(ai)), ( a 2 ,gi(a 2 )), . . . , ( a t ,gi(a t ))). 
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Thus, for i / j, 

|{((ai, 5 i(ai)), . . . , (a t ,gi(a t ))} n {((aq, ffj(ai)), . . . , {a u gj{at))}\ 

= |{« I 9i(a) = 9j{a)}\ 

= \{a\(9i-g j )(a)=0}\ 

< k 

otherwise there are k or more than k roots for the polynomial g % — g :) . But g^ — g :t 
is a polynomial of degree at most k, it follows that gi = gj which contradicts 
that i / j. We have proved the following result. 

Theorem 1. Let q be a prime power. For any integers t, k such that k < t < q, 
there exists a PP(t , k,q k ,qt). 

Note that for the simple proxy signature, a PP(t, k, q k . q k t) is required. Thus, 
for the fixed parameters t, k and q k+1 , we can reduce the number of elements in 
the public key from q k t for the simple proxy signature to qt in the basic proxy 
signature. 

A generalisation of the above polynomial construction uses error-correcting 
codes. Let Y be an alphabet of q elements. An (AT, W, D, q) code is a set M of W 
vectors in Y N such that the Hamming distance between any two distinct vectors 
in M is at least D. Consider an (AT, W, D, q) code M. We write each codeword 
as rnj = (rriji, . . . , rrijjv) with rriij £ Y, where 1 < i < W, 1 < j < N. For a set 
A = (I ..... jV} x y, we define a proxy pattern C = (c^) as follows, 

Cij = (j; for * = 1,2, . . . , W, j = 1, 2, . . . , N. 

Now for each distinct i,j, we have 

|{Cii,Cj 2 , • • • ,Cjjv} n {.Cji, Cj2, • • ■ ,"Cjlv}| 

= |{(jfc, mifc) : 1 < k < N} n {(k,m jk ) : 1 < k < N}\ 

= \{k : m ik = m jk }\ 

<N-D+1. 

This shows that the array C constructed above is a PP(N, N — D + 1, W, Nq). 
We then have 

Theorem 2. If there exists an ( N , W. D, q) code, then there exists a PP(N, N — 
D + l,W,Nq). 

In the coding theory, it is known that for given k and q there are construc- 
tions (e.g. using algebraic geometry codes [24]) for ( N,W,D,q ) codes for which 
N = 0(log W). In the context of proxy patterns, this means that there exists 
PP(N, N—D, W. Nq) in which N = 0(log W). Applying this observation to one- 
time proxy signature, we can reduce the number of elements in the public key 
from 0(n), for the simple proxy signature, to O(logn) for the proxy signature 
based on the coding construction. 
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4.4 Bounds for Proxy Patterns 

To minimise the success probability of cheating by the primary signer, we need 
to have a PP(t, k, n, Ad) for which the value n is as large as possible while other 
parameters t, k and M are fixed. In the following we derive an upper bound for 
such n. 

Theorem 3. For any PP(t,k,n, Ad), the following inequality holds 

n <m_ 

or 

Proof. Assume that C = [c l3 ] is a PP(t, k, n , Ad) with entries taken from an Ad- 
set of A. For each row i, we associate a subset B, of X, i.e., B, = {c,i , . . . , c it } C 
X , where i = I , n. Clearly, |B;| = t and | B-i n B 3 | < k for all i,j where i / j. 
For each 1 < * < n, denote 7L, to be the family of all the fc-subsets of B,. This 
implies that [R-i\ = Q). Now we claim that FL, fl 1Z ? = 0 for each i / j. If this 
claim is not true or B £ FL, fl 1Z 3 is a fc-subset of X, then B is a fc-subset of both 
Bi and Bj, which contradicts the fact that | B, n B 3 \ < k. Thus we have 

(")>|U” =lKi |=„ W = nQ. 

The desired result follows immediately. □ 

Next, we show that the bound in Theorem 3 is tight for some parameter set. 
Recall that a Steiner system S(k,t,M) is a pair (X,B), where X is a set of M 
elements called points and B is a family of t-subsets of X called blocks, such 
that every /c-subset of points is contained in a unique block. It is known that the 
number of blocks of an S(k, t, Ad) is (^) / (£). 

Corollary 1. An PP(t,k,n,Ad) with n = exists if and only if there 

exists an S(k, t, Ad). 

Proof. Let (X,B) be an S{k,t,Ad). For each block, associate a row of an n x t 
array in a natural way, i.e., entries of the ith row are assigned to the elements 
in the block Bj. It is easy to see that assignment gives rise to a PP(t,k,n,Ad) 
with n = (f)/Q. 

On the other hand, assume that C is a PP(t,k, (^f)/(£)> M) with entries 
from M- set X, each row of C is a subset of X, we obtain a set system (A, B) 
where B = {B, : 1 < i < (^ /(£)}• It is clear that each /c-subset of A appears 
in at most one block. So we need to show that it is contained in at least one 
block. Using the same notation as in Theorem 3, we know that each block B t 
contributes (£) fc-subsets FL, of A. Since FL,s are disjoint and there are (^f)/(£) 
such TZi, which gives rise all the (*£) possible choices of fc-subsets of A, that 
means that any fc-subset must be in one of the A,;. This concludes the proof. □ 



518 Huaxiong Wang and Josef Pieprzyk 


5 Proxy Signatures Secure against Swallow Attacks 

Consider the following attack: suppose the primary signer has seen a valid signa- 
ture (m, 5 ) produced by the proxy. She knows that the private key of the proxy 
signer is the itli row of the proxy pattern. Now the primary signer swallows the 
signature generated by the proxy signer, and generates the signature for another 
new message, using the private key of the proxy signer. In this case, the proxy 
signer is unable to prove his innocence. We will call it, the swallow attack. 

In order to protect proxy signatures against the swallow attack, the primary 
signer should not be able to guess the private key of the proxy from a signature 
produced by the proxy. Looking at a message and its signature, the primary 
signer should not be able to determine the private key of the proxy. In other 
words, a single proxy signature should point at many (potential) private keys 
of the proxy. On the other hand, there should not be too many private keys 
corresponding to a given proxy signature. Otherwise, the proxy signature can 
be subject to an attack in which the primary signer chooses at random the 
proxy private key (without looking at the signature) and succeeds with a high 
probability. Based on this observation, we propose a new proxy signature that 
is secure against the swallow attack. 

First we need some notation. Let C = (c^) be an n x t array with entries 
from an M- set of X. For any 1 < i < n and 1 < j\ < j% < ■ ■ ■ < jk < f, we 
denote 

C[i\ jk] = {(■ | c ejl = d h , . . . , c tjk = c ijk }. 

In other words, C[i:ji,j2- jk] is the set of indices of the rows which are 

identical to ith row when restricted to the j i, . . . ,jk columns. 

Definition 3. Given a set X = { xi , . . . ,x M }- An n x t array C = (c^), with 
entries from X, is called a (Ai, A2) -strong ( t,k,n,M ) proxy pattern, denoted by 
(Ai, A2 )-SPP(t,k,n,M) for a ( t,k ) one-time signature if 

1. each row of C contains t different elements of X, 

2. any two distinct rows of C have at most k common elements, i.e., for any 

i ± j, 

|{cii,...,c it }n{cji,...,cjt}| < k. 

3. for any row 1 < i < n and any k columns 1 < j\ < J 2 < ■ ■ • < jk 5s t, 

Ai < \C[i-,ji,j 2 , ■ ■ ■ ,jk]\ < ^2- 

We now combine a (Ai, A2)-SPP(f, k, n, M) and a (t,k) one-time signature 
to construct an OTP signature secure against the swallow attack. Assume C = 
(cij) is a (Ai, A2)-SPP(f, k, n, M) with entries taken from X = {1, . . . , M} and 
O = (T, S, f) is a (t, k) one-time signature. The signature works as follows. 

Key Generation: It consists of the following three steps. 

— The primary signer randomly chooses M distinct elements (si,S2,..., 
sm) as the private key (for example, each s, is a /-bit string if the private 
key of underlying one-time signature O consists of /-bits strings). The 
public key is V = (ui, . . . , %), where Vi = f(si),i = 1 , . . . , M. 
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- The primary and proxy signers execute an OTf 4 protocol. At the end 
of the protocol, the proxy signer learns a f-subset of X that is the ith 
row of C, i.e., {s Cil , . . . , ,s Cit ) , as his private key, but nothing more. The 
primary signer has no information about the index i. 

- The proxy singer applies / to (s Cil , . . . , s Cit ) and checks the results by 
comparing them to the corresponding components of the public key V. 
If the check fails, the proxy aborts and complains. 

Signing: To sign a message m, the proxy signer computes S(m) = {ji,j 2 , ■ ■ ■ , 
jk } and C[i\ji, . . . ,jk\ ■ Then he randomly chooses £ € C[v,j\, . . . ,jk ], and 
reveals S = {(s^ , • • • , s Clj ), £} as the signature. 

Verifying: It follows the verification of the ( t , k) one-time signature (applying 
to the £th row) in a straightforward manner. 

Clearly, the unforgeability against the third party is the same as the underlying 
one-time signature scheme O. Next we show that the scheme is secure against 
regular attacks and the swallow attacks from the primary signer. 

Lemma 1. The probability that the primary signer succeeds in the regular attack 
(without seeing any signature) is at most X 2 /n. 

Proof. In this attack, the primary signer generates a signature and later claims 
that it is generated by the proxy signer. She succeeds if the proxy signer fails to 
prove that he has not generated the signature. As the primary signer has no infor- 
mation about the index i chosen by the proxy signer, she may try to guess it. As- 
sume that she has chosen the index j. For a message m, the primary signer com- 
putes S(m) = [j 1 , . . . , jk} and reveals the signature {.s Cjii , . . . , s Cjjk , £}, where 
£ G €{j;ji, . . . ,jk\- Note that if j 0 C[i\ji, . . . ,jk], then the proxy can sign 
the message to using a different key from the ith row, which results in differ- 
ent signature of the primary signer. The primary signer succeeds if and only if 
j e C[i;ji,j 2 , ■ ■ ■ ,jk\- Since C is a (Ai, A 2 )-SPP(f, k + 1, n, M), we know that 
\C[i-,ji , . . . , jk\\ < A 2 and the result follows. □ 

Lemma 2. The probability that the primary signer succeeds in the swallow at- 
tack (having seen a signature) is at most max{l/Ai, A 2 /n}. 

Proof. In this attack, the primary signer has seen a message/signature pair (to, (5) 
generated by the proxy signer. Next she swallows the data and generates an- 
other message/signature pair ( m',6 ’). She succeeds if the proxy signer fails to 
prove that there is a cheating from the primary signer. Suppose that the proxy 
signer has chosen the index i. For a signature (m. S) generated by the proxy 
signer, we may assume that 6 = {(s Cyi , • • • , s ctj ),£}, where S(m) = {ji , . . . ,jk} 
and l £ C[i;ji, . . . ,jk}- Having seen the signature 5, the primary signer knows 
that the secret index chosen by the proxy signer is one of the elements in 
C[£;ji, . . . ,jk\- One attack strategy from the primary signer is to randomly 
choose j e C[£\ j\, ■ ■ ■ , jk) and use secret key from jth row to generate the 
signature (m', 6'). She succeeds with probability l/\C\£-,ji, . . . ,jk\\ that j = i. 
If j i, then the proxy signer can generate the signature for to', say 5" . It can 
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be seen that S' 5", which means that the proxy can create two signatures for 
the same message m ' using two different row keys. This proves that the primary 
signer attempted to cheat. Another strategy for the primary signer is to choose 
j 0 C[£; ji, ■ ■ - ,jk] In this case, she succeeds if and only if j G G[i j [ . . . . , j' k ], 
where S(m') = {j[, . . . ,j' k }- As in the proof of Lemma 1, the probability of a 
successful attack using this strategy is at most A 2 /n. Therefore, the overall suc- 
cess probability of the attack is bounded by max{l/Ai, A 2 /n}. □ 

Previously, we have used polynomials over a finite field to construct a PP(t, k, 
q k , qt). We will show that this construction can be extended for (q, g)-SPP(f, k— 1, 
q k ,qt). 

Theorem 4. The polynomial construction for a PP(t, k , q k , qt) given in Section 
4 results in a (q, q)-SPP(t, k — 1, q k , qt). 

Proof. We already know that the polynomial construction gives rise to a PP(t, k, 
q k ,qt), C = ( Cij ). To show that C is a (q, <?)-SPP(t, k - 1 ,q k ,qt). We need to 
show that for any 1 < i < q k and 1 < ji < h ■ ■ ■ ,jk - 1 < L we have 

C[i;ji,j2,---Jk~i] =Q- 

In other words, we need to show that for any fc — 1 distinct elements aj 1 , . . . , aj k _ 1 

G GF(q), and any k — 1 elements «i ,ak~ 1 € GF(q), there are exactly q 

polynomials g of degree at most k I such that 

g(a il )=a 1 ,...,g(a ik _ 1 ) = a k -i. (1) 

Indeed, choose a £ GF(q) \ { a . tl . . . . , a lk l }, then a polynomial g satisfying (1) 
is uniquely determined by the value of g(a), there are q different possible choices 
for g(a) which in turn give rise to q possible polynomial polynomials satisfying 
(1). This proves our desired result. □ 

It should be noted that constructions for strong proxy patterns can also 
be based on error-correcting codes. The argument follows the one developed in 
Section 4.3. However, it is not clear how the parameters Ai, A 2 are related to the 
parameters of the codes. We believe that it is an interesting problem for further 
research. 

6 Conclusions 

In this work, we have studied one-time proxy signature schemes. Unlike other 
existing one-time proxy signature scheme that are constructed using public-key 
cryptography, we have proposed one-time proxy signatures based on one-way 
functions. These signatures preserve the basic functionalities and properties of 
one-time signatures (including their fast generation and verification) but also 
allow the primary signer to delegate the power of signing to a chosen proxy. 

The one-time proxy signatures permit full delegation for which potential 
verifiers are not able to distinguish primary signers from proxy. However, in case 
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of a dispute between the signers about the authorship of a signature, a trusted 
authority is able to run an algorithm to resolve the dispute. The algorithm asks 
the proxy to re-generate a signature for the disputed message. If the proxy is 
able to produce a signature different from the disputed one, then the true signer 
of the signature is the primary signer. Otherwise, the proxy has generated the 
signature. 

One-time proxy signatures can be especially useful where there is a need for 
fast generation and verification together with a need to share power of signing. 
Applications may include authentication of streams of packets in a distributed 
environment with mirror servers generating proxy signatures. 

Our approach is based on a combination of certain type of existing one-time 
signature with some combinatorial objects. While the former can be optimised 
using the known techniques in the literature, the latter are new combinatorial 
objects we introduce in this paper and so are of independent interest. In partic- 
ular, the structures of strong proxy patterns are far from clear, and providing 
efficient constructions for them is an interesting research problem. 
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Abstract. Motivated by privacy issues associated with dissemination of 
signed digital certificates, we define a new type of signature scheme called 
a ‘Universal Designated- Verifier Signature’ (UDVS). A UDVS scheme 
can function as a standard publicly-verifiable digital signature but has 
additional functionality which allows any holder of a signature (not nec- 
essarily the signer) to designate the signature to any desired designated- 
verifier (using the verifier’s public key). Given the designated-signature, 
the designated-verifier can verify that the message was signed by the 
signer, but is unable to convince anyone else of this fact. 

We propose an efficient deterministic UDVS scheme constructed using 
any bilinear group-pair. Our UDVS scheme functions as a standard 
Boneh-Lynn-Shacham (BLS) signature when no verifier-designation is 
performed, and is therefore compatible with the key-generation, signing 
and verifying algorithms of the BLS scheme. We prove that our UDVS 
scheme is secure in the sense of our unforgeability and privacy notions 
for UDVS schemes, under the Bilinear Diffie-Hellman (BDH) assump- 
tion for the underlying group-pair, in the random-oracle model. We also 
demonstrate a general constructive equivalence between a class of un- 
forgeable and unconditionally-private UDVS schemes having unique sig- 
natures (which includes the deterministic UDVS schemes) and a class of 
ID-Based Encryption (IBE) schemes which contains the Boneh-Franklin 
IBE scheme but not the Cocks IBE scheme. 

1 Introduction 

In the modern world, one can find many examples of user certification systems. In 
these systems, a trusted Certification Authority (CA) issues signed certificates to 
users. Typically, the signed certificate attests to the truth of certain statements 
and attributes linked to the identity of the user to which the certificate is issued. 
A user Alice can present her certificate to any interested verifier Bob, who can 
in turn verify the CA’s signature and become convinced of the truth of the 
statements contained in the certificate. Real-life examples include the issuing of 
birth certificates, driving licences and academic transcripts. 

In an electronic world, user certification systems can be implemented through 
the use of digital signatures. The ease of copying and transmitting electronic 
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certificates in such implementations is of great convenience to users; Alice can 
simply send a copy of her certificate to any interested verifier Bob. On the 
other hand, this same ease of distribution applies to Bob as well, who can easily 
disseminate Alice’s certificate and convince an unlimited number of third-party 
verifiers about the truth of the statements concerning Alice contained in the 
certificate. This possibility poses a serious threat to Alice’s privacy. Once Alice 
sends out her certificate to Bob she no longer has any control over the number 
of entities besides Bob who can not only learn all the statements about Alice 
contained in the certificate, but also become convinced about the truth of these 
statements by verifying the CA’s signature on the certificate. 

In this paper, we define a special type of digital signature scheme called a Uni- 
versal Designated- Verifier Signature (UDVS) scheme, which directly addresses 
the above user privacy issue in user certification systems. Our scheme protects 
a user’s privacy, and yet maintains a similar convenience of use for the user and 
for the certificate issuer CA as in certification systems using standard digital 
signatures. In a UDVS scheme, a user Alice is issued a signed certificate by the 
CA. When Alice wishes to send her certificate to a verifier Bob, she uses Bob’s 
public key to transform the CA’s signature into a designated signature for Bob, 
using the UDVS scheme’s designation algorithm, and sends the certificate along 
with the designated- signature to Bob. Bob can use the CA’s public key to verify 
the designated signature on the certificate, but is unable to use this designated 
signature to convince any other third-party that the certificate was signed by 
the CA, even if Bob is willing to reveal his secret-key to the third-party. This is 
achieved because Bob’s secret-key allows him to forge designated signatures by 
himself, so the third-party is unable to tell who produced the signature (whereas 
Bob can, because he knows that he didn’t produce it). Therefore, through the 
use of a UDVS scheme, the user Alice’s privacy is preserved in the sense that Bob 
is unable to disseminate convincing statements about Alice (Of course, nothing 
prevents Bob from revealing the certificate statements themselves to any third- 
party, but the third-party will be unable to tell whether these statements are 
authentic, i.e. whether they have been signed by the CA or not). 

We define quantitative notions of security for both the unforgeability and the 
privacy provided by UDVS schemes. We then propose an efficient UDVS scheme 
constructed from any bilinear group-pair, and we prove that this scheme satisfies 
our security requirements: it achieves perfect unconditional privacy and is un- 
forgeable in the random-oracle model, assuming that the Bilinear Difhe-Hellman 
(BDH) assumption holds for the underlying bilinear group-pair. Our scheme has 
the attractive property that its signing, designation, and verification algorithms 
are all deterministic. We also show a general result which establishes a con- 
structive equivalence between a class of unconditionalfy-private UDVS schemes 
possessing unique signatures (which contains all deterministic schemes) and a 
class of strongly-secure Identity-Based Encryption (IBE) schemes which contains 
the Boneh-Franklin IBE scheme [2], but not the Cocks IBE scheme [14]. Proofs 
of some statements have been omitted from the appendix due to lack of space. 
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They can be found in the full version of the paper uploaded to the IACR e-print 
archive. 

1.1 Related Work 

Our concept of UDVS schemes can be viewed as an application of the general 
idea of designated-verifier proofs, introduced by Jakobsson, Sako and Impagli- 
azzo [21], where a prover non-interactively designates a proof of a statement to 
a verifier, in such a way that the verifier can simulate the proof by himself with 
his secret key and thus cannot transfer the proof to convince anyone else about 
the truth of the statement, yet the verifier himself is convinced by the proof. The 
authors of [21] also propose a designated-verifier non-interactive undeniable sig- 
nature, in which the three-move zero-knowledge signature confirmation protocol 
of an undeniable signature [12] (converted to be non-interactive in the random- 
oracle model via the Fiat-Shamir heuristic [16]) is modified to be designated- 
verifier by replacing the commitment with a trapdoor commitment [7], in which 
the verifier’s secret key is the trapdoor. However, the resulting scheme in [21] 
allows designation of signatures only by the signer (since designation requires 
the signer’s secret key), whereas our UDVS scheme allows anyone who obtains a 
signature to designate it; this is what we mean by the term universal in the name 
‘Universal Designated-Verifier Signatures’. As we explain in Section 4.1, the idea 
in [21] of using a trapdoor commitment in a non-interactive zero-knowledge proof 
can also be used in principle to convert generic digital signature schemes into 
UDVS schemes. However, the use of a zero-knowledge proof results in a desig- 
nation algorithm which is randomized, and typically inefficient. In contrast, we 
show that using bilinear group-pairs one can avoid zero-knowledge proofs and 
construct a UDVS scheme which has a deterministic and efficient designation 
algorithm. 

There have been other approaches proposed to address the privacy threat 
associated with dissemination of verifiable signed documents. Chaum and van 
Antwerpen [10,12] introduced undeniable signatures for this purpose, which 
require a signer or confirmer’s [13,27,25,9,17] interactive cooperation to ver- 
ify a signature, but this approach places significant inconvenience and work- 
load on verifiers and confirmers, compared to an off-line non-interactive veri- 
fication. There has been substantial work on pseudonym-based digital creden- 
tials [11,6,5,8] which gives further approaches to enhance user privacy, such as 
selective disclosure of attributes (see also [31]) and unlinkability of user trans- 
actions. Chameleon signatures [24] allow designation of signatures to verifiers 
by the signer, and in addition allow a signer to prove a forgery by a designated 
verifier. Ring signatures [28], when restricted to two users, can also be viewed as 
designated-verifier signatures, where one user is the actual signer and the other 
user is the designated-verifier who can also forge the two-user ring signature, thus 
providing the privacy property, called signer anonymity in the context of ring 
signatures. However, signer designation is still performed by the signer. Recently, 
Boneh, Gentry, Lynn and Shacham [3] proposed a ring signature based on bilin- 
ear group-pairs and observed that it also allows public conversion of single-signer 
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ring signatures into two-signer ring signatures. Thus, the ring signature scheme 
in [3] can also be viewed as a UDVS scheme. However, we observe that our pro- 
posed UDVS scheme has two advantages over the UDVS scheme in [3]: (1) Our 
scheme has deterministic designation and signing algorithms, and therefore pos- 
sesses unique designated-verifier signatures (unlike the randomized designation 
scheme in [3]). As we show in Sec. 5, secure UDVS schemes with unique signa- 
tures are as hard to construct as secure ID-Based Encryption (IBE) schemes (our 
scheme is related to the Boneh-Franklin IBE [2]), whereas this is not the case for 
randomized UDVS schemes, which can be constructed using other methods, (2) 
Our scheme extends the standard BLS signature [4], whereas the scheme in [3] 
is built on a modified BLS scheme. Our scheme also has an efficiency advantage 
in verification compared to [3] (see Section 6.1). 

2 Preliminaries 

2.1 Notation 

We say that a function / : IN — > IR is a negligible function if, for any c > 0, there 
exists fc 0 e IN such that f(k) < 1 /k c for all k > ko- We say that a probability 
function p : IN — > IR is overwhelming if the function q : IN — > IR defined by 
q(k) = 1 — p(k) is a negligible function. For various algorithms discussed, we 
will define a sequence of integers to measure the resource parameters of these 
algorithms (e.g. running-time plus program length, number of oracle queries to 
various oracles). All these resource parameters can in general be functions of a 
security parameter k of the scheme. We say that an algorithm A with resource 
parameters RP = (n, . . . , r n ) is efficient if each resource parameter r,;(fc) of A is 
bounded by a polynomial function of the security parameter k, i.e. there exists a 
ko > 0 and c > 0 such that r,(fc) < k c for all k> ko- For a probabilistic algorithm 
A, we use A (a;; r) to denote the output of A on input x with a randomness input 
r. If we do not specify r explicitly we do so with the understanding that r is 
chosen statistically independent of all other variables. We denote by {A (a:)} the 
set of outputs of A on input x as we sweep the randomness input for A through 
all possible strings. 


2.2 Bilinear Group-Pairs 

Our signature scheme proposed in Section 4.2 is built using a powerful crypto- 
graphic tool called a Bilinear Group-Pair. In this section we review the defini- 
tion of a bilinear group-pair, following the definitions of [3]. We refer the reader 
to [22,23,2,4] for a discussion of how to build a concrete instance of such a 
group-pair using supersingular elliptic curves, and to [1] for efficient algorithms 
for computing the bilinear map over these group-pairs. 

Definition 1 (Bilinear Group-Pair). Let (GijGf) denote a pair of groups of 
prime order |Gi| = \Gi\- We call the group-pair {G \ , Gf) a Bilinear Group-Pair 
if the pair (Gi,Gf) has the following properties: 
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(1) Efficient Group Operations: The group operations in G\ and G 2 are effi- 
ciently computable (in some representation). 

(2) Existence of Efficient Bilinear Map: There exists an efficiently computable 
bilinear map e : Gi x G 2 —> Gt (for some image group Gt of order \Gt\ = 
|Gi| = \G 2 \) having the following properties: 

(a) Bilinearity: efaf 1 = e(ui, U 2) 01 ' 02 for all («i,« 2 ) € G\ x G 2 and 
{01,02} € Z 2 . 

(b) Non-Degeneracy: e(ui,u 2 ) ^ 1 for all (wi,u 2 ) G Gi/{1} x G 2 /{1} (Here 
1 denotes the identity element in the respective group). 

(3) Existence of Efficient Isomorphism: There exists an efficiently computable 
group isomorphism if : G\ — » G 2 from G\ to G 2 - 

Our signature scheme’s security relies on the computational hardness of the 
Bilinear Diffie- Heilman (BDH) problem associated with the bilinear group-pair 
used to construct the scheme. We review the BDH problem, and remark that 
the Boneh-Franklin ID-Based Encryption scheme [2] and Joux’s tripartite key 
exchange protocol [22] also rely on the hardness of BDH. 

Definition 2 (Bilinear Diffie- Heilman (BDH) Problem). Let GC denote 
a randomized bilinear group-pair instance generation algorithm, which on in- 
put a security parameter k, outputs {Dc,gi), where Dq € {0,1}* is a descrip- 
tion string for a bilinear group-pair (Gj. ;f G 2 ). We say that the BDH problem 
is hard in group-pairs generated by GC if, for any efficient attacker A, the 
probability Succ a bdh (A;) that A succeeds to compute K = e(gi,g 2 ) a ' bc given 
{DG,gi,gi,gi,g 2 ) for uniformly random a,b,c e where 52 = ip(g 1 ), 

is a negligible function of k (the probability is over A’s random coins and 
the input to A). We quantify the insecurity of BDH against arbitrary attack- 
ers with running-time plus program length t by the probability InSec BDH (f) = 
maxAeAS KP Succ ABDH (fc), where the set ASrp contains all attackers with run- 
time t. 

3 Universal Designated- Verifier Signature (UDVS) 
Schemes 

3.1 Precise Definition of a UDVS Scheme 

A Universal Designated Verifier Signature (UDVS) scheme DVS consists of seven 
algorithms and a ‘Verifier Key-Registration Protocol’ Pkr. All these algorithms 
may be randomized. 

1. Common Parameter Generation GC — on input a security parameter 
k, outputs a string consisting of common scheme parameters cp (publicly 
shared by all users). 

2. Signer Key Generation GKS — on input a common parameter string cp, 
outputs a secret/public key-pair {ski,pk\) for signer. 

3. Verifier Key Generation GKV — on input a common parameter string 
cp, outputs a secret/public key-pair {sks,pkf) for verifier. 
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4. Signing S — on input signing secret key ski, message to, outputs signer's 
publicly-verifiable (PV) signature a. 

5. Public Verification V — on input signer’s public key phi and message/PV- 
signature pair (to, a), outputs verification decision d £ {Acc,Rej}. 

6. Designation CDV — on input a signer’s public key pki, a verifier’s pub- 
lic key pk 3 and a message/PV-signature pair (m,<r), outputs a designated- 
verifier (DV) signature a. 

7. Designated Verification VDV — on input a signer’s public key pk\, veri- 
fier’s secret key sk 3 , and message/DV-signature pair (to, a), outputs verifi- 
cation decision d 6 {Acc,Rej}. 

8. Verifier Key- Registration P«r = (KRA,VER) — a protocol between a 
‘Key Registration Authority’ (KRA) and a ‘Verifier’ (VER) who wishes to 
register a verifier’s public key. On common input cp, the algorithms KRA 
and VER interact by sending messages alternately from one to another. At 
the end of the protocol, KRA outputs a pair (pk 3 , Awth), where pk 3 is a ver- 
ifier’s public- key, and Auth £ {Acc,Rej} is a key-registration authorization 
decision. We write Pr-.r(KRA, VER) = (pk 3 , Auth) to denote this protocol’s 
output. 

Verifier Key-Reg. Protocol. The purpose of the ‘Verifier Key-Registration’ proto- 
col is to force the verifier to ‘know’ the secret-key corresponding to his public-key, 
in order to enforce the non-transferability privacy property. In this paper we as- 
sume the direct key reg. protocol, in which the verifier simply reveals his key-pair 
(■ sk,pk ), and the KRA authorizes it only if ( sk,pk ) £ (GKV(cp)} 1 . 

Consistent UDVS Schemes. We require two obvious consistency properties 
from UDVS schemes. The ‘PV-Consistency’ property requires that the PV- 
signatures produced by the signer are accepted as valid by the PV-verification 
algorithm V. The ‘DV-Consistency’ property requires that the DV-signatures 
produced by the designator using the designation algorithm CDV are accepted 
as valid by the DV-verification algorithm VDV. We say that a UDVS scheme is 
consistent if it has both of the above consistency properties. 

DVSig-Unique UDVS schemes. In this paper we are mainly interested 
in DVSig-Unique UDVS schemes, in which the DV signature <7* Jv = 

CDV(pki,pk 3 ,S(ski,m*)) on a message to* by a signer with public key pk\ 
(and secret key ski) to a verifier with public key pk 3 , is uniquely determined by 
(m*,pki,pk 3 ). 

3.2 Security Properties of UDVS Schemes 

3.2.1 Unforgeability. In the case of a UDVS scheme there are actually 
two types of unforgeability properties to consider. The first property, called 
called ‘PV-Unforgeability’, is just the usual existential unforgeability notion 
under chosen-message attack [19] for the standard PV signature scheme D = 
(GC, GKS, S, V) induced by the UDVS scheme (this prevents attacks to fool the 
1 The KRA can always perform this check efficiently, since we can assume that the 
secret key sk contains the randomness input to GKV used to generate it. 
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designator). The second property, called ‘DV-Unforgeability’, requires that it 
is difficult for an attacker to forge a DV-signature a* by the signer on a ‘new’ 
message to*, such that the pair ( m*,a *) passes the DV-verification test with 
respect to a given designated-verifier’s public key pk 3 (this prevents attacks 
to fool the designated verifier, possibly mounted by a dishonest designator). It 
is easy to see that, due to the existence of the efficient public-designation al- 
gorithm CDV, the ‘DV-unforgeability’ property implies the ‘PV-unforgeability’ 
property 2 , although the converse need not hold in general. Indeed, we will see 
that our proposed UDVS scheme’s ‘PV-unforgeability’ can be proven with a 
weaker assumption than that needed to prove the ‘DV-unforgeability’. 

Definitions (DV-Unforgeability). Let DVS = (GC, GKS, GKV, S, V, CDV, 

VDV, P KR ) be a UDVS scheme. Let A denote a forger attacking the unforge- 
ability of DVS. The DV-Unforgeability notion UF-DV for this scheme is defined 
as follows: 

1. Attacker Input: Signer and Verifier’s public-keys ( pk\,pk 3 ) (from 
GKS(fc),GKV(/c ) ). 

2. Attacker Resources: Run-time plus program-length at most t, Oracle ac- 
cess to signer’s signing oracle S(ski,.) (q s queries), and, if scheme DVS 
makes use of n random oracles RO \, . . . , RO n , allow quo 4 queries to the ith 

oracle ROi for i = ) n. We write attacker’s Resource Parameters (RPs) 

as RP= (t,q s ,q ROl ,...,qRoJ. 

3. Attacker Goal: Output a forgery message/DV-signature pair ( to*, < 7 *) such 
that: 

(1) The forgery is valid, i.e. VDV(p£q,sA; 3 ,m*,< 7 *) = Acc. 

(2) Message m* is ‘new’, i.e. has not been queried by attacker to S. 

4- Security Notion Definition: Scheme is said to be unforgeable in the sense 
of UF-DV if, for any efficient attacker A, the probability Succ ^o\/P^(k) that 
A succeeds in achieving above goal is a negligible function of k. We quantify 
the insecurity of DVS in the sense of UF-DV against arbitrary attackers with 
resource parameters RP = (t, q s , qRCh , qRO n ) by the probability 

t o UF-DV \ def „ UF-DV n\ 

InSec DVS (t,q s ,q ROl , ■ ■ ■ ,q R o n ) = max Succ A DVS (k), 
a eAS RP 

where the set ASrp contains all attackers with resource parameters RP. 

3.2.2 Non-transferability Privacy. Informally, the purpose of the privacy 
property for a UDVS scheme is to prevent a designated-verifier from using the 
DV signature ovj,, on a message m to produce evidence which convinces a third- 
party that the message m was signed by the signer. Our model’s goal is to capture 
2 Actually, this assumes that \/(pki,m,cr) = Acc implies a £ {S(sfci,m.)} for all 
(to, a). But even if this does not hold, we can always redefine V to verify (m, cr) 
using pki as follows: compute random key-pair (.sfca.pfcs) = GKV(cp), compute a = 
CDV(pfci,pfc3 , to, a) and return VDV(pfci,sfc3,m,cr). It is easy to see that using this 
V, DV-Unforgeability implies PV-Unforgeability. 
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a setting in which signature holder provides many designated-signatures on to, 
designated to many verifier public keys of the attacker’s choice. We quantify this 
property using the following privacy attack model. In our model, the attacker 
is a pair of interacting algorithms (A 1; A 2 ) representing the designated- verifier 
(DV) and Third-Party (TP), respectively, which run in two stages. At the end 
of Stage 1, Ai decides on a message to* to be signed by the signer. In Stage 2, 

Ai obtains up to qai DV signatures (<ti , a qdl ) by the signer on to* from a 

designator oracle, designated to public- keys of Ai’s choice (these keys must first 
be registered by Ai via key-reg. interactions with the KRA), and tries to use the 
af s to convince A 2 that the signer signed to*. At the end of Stage 2, A 2 outputs 
an estimate d e {yes, no} for the answer to the question ‘did the signer sign to*’? 

We associate with (Ai,A 2 ) a convincing measure C^( Ai,A 2 ) with respect 
to a forgery strategy Ai, to measure the ‘degree’ to which A 2 can be convinced 
by Ai that the signer signed to*. It is defined as the distinguisher advantage of 
A 2 ’s estimate d to correctly distinguish between (1) The game yes, where the 
signer did sign to* and Ai obtained one or more DV signatures on to* from the 
designator oracle or (2) The game no, where the signer did not sign to* and Ai 
was actually replaced by an efficient forging strategy, called Ai (which accepts 
the program for Ai as input), which aims to “trick” A 2 into believing that the 
signer signed to*, without the need to obtain any DV signatures on to* from the 
designator oracle. The scheme is said to achieve the privacy property if there is 
an efficient forgery strategy Ai such that (Ai, A 2 ) is negligible for any efficient 
attacker pair (Ai, A 2 ). 

Definition 4 (PR-Privacy). TetDVS = (GC, GKS, GKV, S, V, CDV, VDV, 

Pkr) be a UDVS scheme. Let (Ai,A 2 ) denote an attack pair against the pri- 
vacy of DVS. Let Ai denote a forgery strategy. The privacy notion PR for this 
scheme is defined as follows: 

1. Attacker Input: Signer public-key pk\ (where ( sk\,pk\ ) = GKS(cp), and 
cp = GC(fc ) ). Note that Ai also accepts the program for Ai as input. 

2. Resources for Run-time (t\,ti), access to signing oracle S{sk \ , .) 

(up to ( q s , q s ) queried messages different from m*), access to key-reg. protocol 
interactions with the KRA (up to ( qkiQk ) interactions), access to A 2 oracle 
(up to ( q c ,q c ) messages). In stage 2, Ai also has access to designation oracle 
CDV(pfci, . , to*, cr*) (up to qa queried keys successfully registered with KRA}, 
where cr* = S(s/ci,to*) is a signer’s signature on the challenge message to* 
output by Ai at end of Stage 1. Note that Ai cannot make any designation 
queries. 

3. Resources for A 2 ; Run-time t 2 - 

f. Attacker Goal: Let P( Ai, A 2 ) and P( Ai, A 2 ) denote the probabilities that A 2 
outputs yes when interacting with Ai (game yes) and Ai (game no}, respec- 
tively. The goal o/(Ai, A 2 ) is to achieve a non-negligible convincing measure 
c^( Ai,A 2 ) = f |P(Ai,A 2 ) -P(A 1 ,A 2 )\. 
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5. Security Notion Definition: Scheme is said to achieve privacy in the 
sense of PR if there exists an efficient forgery strategy Ai such that the con- 
vincing measure (7~(Ai, A 2 ) achieved by any efficient attacker pair (Ai, A 2 ) 
is negligible in the security parameter k. We quantify the insecurity of DVS 
in the sense of PR against arbitrary attacker pairs (Ai,A 2 ) with resources 
(RPi,RP 2 ) (attacker set ASrp 1! rp 2 ), with respect to arbitrary forgery strate- 
gies A 1 with resources RP\ ( attacker set AS ) by the probability 

InSecj^|(i?Pi, RPi,RPA *= f min max Cf(A 1 .A 2 ). 

Ai eas — ( A iA>)eAS HPl , H p 2 1 

RP 1 

If InSec^fj ( RI \ , R,Pi , RP 2 ) = 0 holds for any computationally unbounded 
A 2 , it is said to be perfect unconditional privacy. If privacy holds when 
qfi = q s 1 it is said to be complete privacy. 

Remark. The above privacy notion handles general UDVS schemes. For more 
specific schemes, the definition can be simplified. For instance, for schemes using 
the direct key-reg. protocol which have unique signatures, the complete uncon- 
ditional privacy is equivalent to the existence of an efficient universal forgery 
algorithm for DV signatures using the verifier’s secret key (this is the case for 
our proposed scheme in this paper, but see Sec. 6.2 for other possibilities). 

Lemma 1. Let DVS = (GC, GKS, GKV, S, V, CDV, VDV, P K r) be a UDVS 
scheme which is DVSig-Unique, and where Pkr is the direct key-reg. protocol. 
Then DVS achieves complete and perfect unconditional privacy if and only if 
there exists an efficient universal DV-sig. forgery algorithm F, which on any 
input (cp,pki,sk 3 ,pk 3 ,m*) (where ( ski, phi ) G {GKS(cp)} and ( sk 3 ,pk 3 ) G 
(GKV(cp)},) computes the unique DV-sig. cr^ v = CDV(cp,pki,pk 3 ,S(ski,m*)) 
with probability 1. 

4 Proposed UDVS Scheme 

4.1 An Inefficient Generic Approach 
for Constructing UDVS Schemes 

Before we present our efficient UDVS scheme, we sketch, as a plausibility argu- 
ment, the details of a generic (but inefficient) approach for constructing UDVS 
schemes, based on zero-knowledge designated- verifier proofs of membership [21]. 
We do not attempt to give a precise definition and proof of security properties 
for this generic scheme, but we believe this can be done along the outline we 
sketch below. 

The generic construction works as follows. We make use of a standard digital 
signature scheme DS = (GKs,S, V) which is secure in the standard CMA sense 
of existential unforgeability under chosen message attack [19]. We also need 
a public-key encryption scheme PKE = (GKe,E,D) which is semantically se- 
cure under chosen-plaintext attack(IND-CPA) [20] , and a trapdoor commitment 
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scheme TC [7]. The common parameter generation algorithm GC for the UDVS 
scheme generates an encryption key-pair ( sk E ,pk E ) = GKe(/c) and outputs pk E 
as the common parameter. The signer key-generation/signing/PV-verification 
algorithms for the UDVS scheme are those of the signature scheme DS. The ver- 
ifier’s key-generation algorithm is that of the trapdoor commitment scheme T C. 
The designation algorithm CDV takes an input common parameter pkE, message 
m and its signature a pv , signer’s public key phi, and verifier’s public key pks . 
The designated signature ad v is the pair ( c,P ), where c = E(pk E , <j pv : r) is the 
encryption of cr pv under the common public key pk E (using a random string r), 
and P is a designated- verifier non-interactive proof that c is in the NP language 

£pfci,pfc E) m = {c : 3(cr,r) such that c = E(pk E ,a;r) and \l(pki,m,a) = Accj, 

consisting of all possible ciphertexts of valid signatures by the signer on the 
message m. Note that the designator has a witness (a, r) for membership of 
c in L p k ltP k E ,m , and hence can use a generic zero- knowledge commit-challenge- 
response proof of membership for NP languages [18] to prove that c 6 L p ki, P k E ,m- 
By applying the Fiat-Shamir heuristic (replacing the challenge by a hash of the 
commitments) to make the proof non-interactive and using the verifier’s trap- 
door commitment in the commit step, the designator can compute the desired 
designated-verifier proof P. The DV verification algorithm consists of verifying 
the proof P for the ciphertext c. The DV-unforgeability of the scheme follows (in 
the random oracle model) from the soundness of the proof and the unforgeability 
of the underlying standard signature scheme: any forged ciphertext with a valid 
proof is by soundness a ciphertext of a valid signature and can be decrypted with 
sk E to give a forgery for the underlying signature scheme. The (computational) 
privacy follows from the forgeability of the proof P by the designated-verifier 
using his secret-key, namely the commitment trapdoor (even for ciphertexts c 
not in the language L p k ltP k E ,m), and the (computational) simulat ability of the 
ciphertext c by a random string, due to the semantic security of the encryption 
scheme. 

Implementing the above scheme using a generic zero-knowledge NP proof sys- 
tem [18] would yield a very inefficient and randomized designation and inefficient 
DV verification. For specific choices of the underlying signature and encryption 
scheme, one may be able to give a more efficient zero-knowledge proof for the 
language L pklpkEPn and improve this efficiency to some extent. However, our 
bilinear scheme below shows how to eliminate zero-knowledge proofs altogether 
and obtain efficient, deterministic designation. 


4.2 An Efficient UDVS Scheme DVSBM 
Based on Bilinear Group-Pairs 

Our proposed UDVS scheme DVSBM based on bilinear group-pairs is given be- 
low. It makes use of a cryptographic hash function H : {0,1}-^ — > G 2 , mod- 
elled as a random-oracle. Here l denotes a bound on the message bit-length 
and {0, l}- e denotes the message space of all strings of length at most i bits. 
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Note that for the basic version of DVSBM we propose the direct key registration 
protocol (see Section 3.1). 

1. Common Parameter Generation GC. Choose a bilinear group-pair 
(Gi,G 2 ) of prime order |Gi| = \G 2 \ with description string D c , specifying a 
blinear map e : G\ x G 2 — > Gt, isomorphism ip : G\ — » G 2 and generators 
gi £ G i and g 2 = 'tp(gi) € G 2 . The common parameters are cp = (Dc,gi). 

2. Signer Key Generation GKS. Given cp, pick random X\ £ compute 
2/i = g xi . The public key is pk-\ = (cp, yi). The secret key is ski = (cp, xi). 

3. Verifier Key Generation GKV. Given cp, pick random x 3 £ compute 
y 3 = <fi i . The public key is pk 3 = (cp, y 3 ). The secret key is sk 3 = (cp,x 3). 

4. Signing S. Given the signer’s secret key (cp,xi), and message to, compute 
a = h Xl £ G‘ 2 , where h = H(m). The PV signature is a. 

5. Public Verification V. Given the signer’s public key (cp, yi) and a 
message/PV-sig. pair (to, a), accept if and only if e(gi , a) = e(y\,h), where 
h = H(m). 

6. Designation CDV. Given the signer’s public key (cp, yi), a verifier’s public 
key (cp, y 3 ) and a message/PV-signature pair (m,a), compute a = e(y- 3 , a). 
The DV signature is a. 

7. Designated Verification VDV. Given a signer’s public key (cp, yi), a veri- 
fier’s secret key (cp,x 3), and message/DV-sig. pair (to, S’), accept if and only 
if a = e(y* 3 ,h), where h = H(m). 

Consistency. We first demonstrate the consistency of scheme DVSBM. To show 
the PV-Consistency property, we note that if a pv = S(ski,m) = h Xl , where 
h = H(m), then 

e(gi,<r) = e(gi,h Xl ) = e(g 1 ,h) Xl = e(g Xl ,h) = e(j/i,ft) (1) 

by bilinearity, so \/(pki,m, a pv ) = Acc, as required. To show the DV-Consistency 
property, we note that if o pv = f S(ski,m) = h Xl , where h = H(m), then cr*, = f 
CDV (pk\ , pks , to, a pv ) = e(t/3 , a pv ) . Consequently: 

edv d = e(y X3 ,h ) = e(yl 1 ,h) = e(y 3 , h) Xl = e(y 3 , h Xl ) = e(y 3 , a pv ) = a dv (2) 

by bilinearity, so VDV(pfci, (sk 3 ,pk 3 ),m,(Jd v ) = Acc, as required. Therefore the 
scheme DVSBM is consistent. 

Unforgeability. In the random-oracle model for H(.), we can prove the DV- 
unforgeability of the scheme assuming the Bilinear Diffi e-Hellman (BDH) as- 
sumption. The reduction is efficient (no qn multiplicative cost in insecurity 
bound) thanks to the random self-reducibility of BDH, by adapting Coron’s 
technique [15] which was originally applied to prove the unforgeability of the 
FDH — RSA signature scheme assuming the RSA assumption. We note that 
the PV-unforgeability of our scheme reduces to the unforgeability of the BLS 
scheme [4], which was proven in [4] under a weaker assumption than hardness 
of BDH, namely hardness of the ‘co-CDH’ assumption. 



534 Ron Steinfeld et al. 


Theorem 1 (DV-unforgeability of DVSBM). If the Bilinear Diffie- Heilman 
problem is hard in the bilinear group-pairs (Gi,(j 2 ) generated by the common- 
parameter algorithm GC, then the scheme DVSBM is DV-unforgeable (UF-DV 
notion) in the random-oracle model for H (.) . Concretely, the following insecurity 
bound holds: 

TnSecRvsBM 1 Qs-Fh) < exp(l) • (q s + 1) • InSec BDH (*[£]), (3) 

where t[B] = t + (q + q s + 1) • 0(1 • log 2 q + T g ■ log 2 |Gi|) + Tg, + T e . Here we 
define q = f qa + q s + 1 and denote by T e , T g , and T. ^ the running time bounds 
for evaluating the bilinear map e, performing a single group operation in G\ or 
G 2 , and evaluating the isomorphism if, respectively, and we use exp : IR — > 1R 
to denote the natural exponential function. 

Privacy. The privacy achieved by scheme DVSBM is perfect unconditional, be- 
cause the verifier can easily forge the DV-signatures he is receiving from the 
designator (as long as the verifier knows his secret-key, which is ensured by the 
key-registration protocol). 

Theorem 2 (Privacy of DVSBM). The scheme DVSBM achieves complete and 
perfect unconditional privacy (in the sense of the PR notion). Concretely: 

InSec^^ BM (iZPi, RPi, 00 ) = 0, (4) 

where RP± = (ti,q s , qk, q d ) denotes Ai ’s resource parameters and RP 1 = (ti,q s , 
qk) denotes the forgery strategy Ai ’s resources, which are given by: t\ = h + q d ■ 
0(T e + T g log 2 |Gi| + q k ), q s = Qs (complete privacy), q d = q d , q c = q c . 

5 General Relationship between UDVS 
and ID-Based Encryption Schemes 

Readers who are familiar with the Boneh-Franklin ID-Based Encryption 
scheme [2] may notice an intimate relationship between that scheme and our 
proposed UDVS scheme DVSBM. In this section we show that this relationship 
is one instance of a general equivalence between certain subclass of secure UDVS 
schemes and a certain subclass of secure ID-Based Encryption schemes. 
ID-Based Key Encapsulation Mechanism (ID-KEM) Schemes. We review the 
definition of ID-based encryption schemes (IBE) [2]. Actually, we will formulate 
our result in terms of a primitive called ‘ID-Based Key Encapsulation Mecha- 
nism’ (ID-KEM) , defined analogously to the definition of standard non-ID-based 
KEMs [30]. An ID-Based Key Encapsulation Mechanism (ID-KEM) consists of 
4 algorithms: Setup, Extract, Encrypt, Decrypt: Setup takes as input security pa- 
rameter k, and returns a system parameter string cp and a master key rrik. This 
is run initially by the ‘Private Key Generator’ (PKG). Extract takes as input 
system parameters cp, master key mk, and a user identity string ID e Sid and 
returns a user secret key skip = Extract (cp,mk,ID) corresponding to identity 
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ID. Encrypt is a randomized algorithm which takes as input system parame- 
ters cp, a recipient identity string ID and a random input r € Sr and returns 
a pair (K,c) = Encrypt (cp,ID-,r), where K = EncK (cp,ID-,r) is an ‘session 
key’ (which can be used with a symmetric encryption scheme to encrypt a mes- 
sage) and c = Enc c (cp,ID;r) is a ciphertext for K (we call Enq< and Enc c the 
key- computation and key-encapsulation functions induced by Encrypt). Given 
cp, skiD and c, Decry pt(cp, skin, c) recovers a session key K. An ID-KEM is 
consistent if Decrypt(cp, skm, Enc c (cp, ID-, r)) = Enci<(cp, ID-, r) holds, where 
sk ID = Extract (cp,mk, ID), for all ( ID,r ) and ( cp,mk ) generated by Setup. 
Ephemeral-Key (EK) and Separable ID-KEM Schemes. For constructing UDVS 
schemes, we need an ID-KEM scheme which satisfies two properties: EK and 
Separable. An ID-KEM scheme is said to have the EK property if the ciphertext 
c = Enc c (cp,ID;r) produced by the key-encapsulation function Enc c does not 
depend on ID. An ID-KEM scheme is said to be Separable if the Setup can be 
separated into two efficient algorithms Setupi and Setup2 such that the following 
holds. On input security parameter k, Setupi(fc) returns a string cp\, and on 
input cpi, Setup 2 (cpi) returns a master key mk and a second string cp 2 - The 
system parameter string is cp = (cpi,cp 2 ), and we require that the ciphertext 
c = Enc c ((cpi, cpf), ID] r) produced by the key-encapsulation function Enc c does 
not depend on cp 2 - 

Strong ID-One-Wayness. Following the definition in [2], a basic security re- 
quirement for ID-KEM schemes is ID- One-Wayness (ID-OW). For construct- 
ing UDVS schemes, we need a stronger requirement that we call Strong ID- 
One- Wayness (ST-ID-OW). An ID-KEM scheme is said to have the ST-ID-OW 
property if it is infeasible for an attacker A to win the following two-stage game. 
In Stage 1, A is given the system pars, cp and outputs a recipient identity ID he 
wants to be challenged on. In Stage 2, A is given a random KEM challenge cipher- 
text c = Enc C (cp, ID-, r) intended for recipient ID but we allow A to adaptively 
‘change his mind’ about the challenge identity; at the end of Stage 2, A outputs an 
identity ID* and an estimate K* for the decryption K* = Decrypt (cp, , c) 
of c under secret-key skiD- corresponding to identity ID*. A is said to win if 
K* = K* (in both stages, A is allowed to query any ID' ^ ID* to the Extract 
oracle). Note that in the weaker ID-OW notion [2] A is not able to change the 
identity picked at the end of Stage 1. 

We remark that the Boneh-Franklin IBE [2] can seen as derived from an 
underlying separable EK ID-KEM, whereas the Cocks IBE scheme [14] does not 
seem to give rise to such a KEM. 

Constructing a UDVS Scheme from a Separable EK ID-KEM Scheme. We can 
now describe our general construction of a UDVS scheme from a Separable EK 
ID-KEM scheme which achieves strong ID-OneWayness. 

1. Com. Par. Generation GC. Compute cp\ = Setupi(fc). The common pa- 
rameters are cp\ . 

2. Signer Key Generation GKS. Given common parameters cp\, compute 
(■ cp 2 ,mk ) = Setup2(cpi). The public key is (cpi , cp 2 ). The secret key is 
(cpi,cp 2 , mk). 
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3. Verifier Key Generation GKV. Given common parameters cpi, let 
ID 0 and cpio denote any fixed strings. Compute KEM ciphertext c = 
Enc c ((cpi, cp 2 o)> IDq\ r c ) for uniformly random r c G Sr. The public key is c. 
The secret key is r c . 

4 . Signing S. Given the signer’s secret key (cpi,cp 2 ,mk), and message m, 
compute sk m = Extract((cpi , cp^./rrik, m). The PV signature is sk m . 

5 . Public Verification V. Given the signer’s public key (cpi,cp 2 ) and a 
message/PV-sig. pair (m, sk m ), compute a random KEM ciphertext to iden- 
tity string masc= Enc c ((cpi, cp-2 ) , m; r) for uniformly random r G Sr with 
associated encapsulated key K = EncK((cpi, CP2), m; r). Accept if and only 
if K' = K, where K' = Decry pt(( cp\ . cp2), sk rn . c) . 

6. Designation CDV. Given the signer’s public key (cpi,cp2), verifier’s 
public key c and a message/PV-sig. pair ( m,sk m ), compute K c . nl = 
Decrypt((cpi, CP2), sk m , c). The DV signature is K crn . 

7 . Designated Verification VDV. Given a signer’s public key (cpi,cp2), a 
verifier’s secret key r c , and message/DV-sig. pair (m, K c rn ), compute K c rn = 
EncK((cpi, cp2),nv, r c ) and accept if and only if A Cj „ ( = K c . m . 

The underlying idea behind the construction is a correspondence between 
the ID-KEM setting and the UDVS setting, where one can make associa- 
tions between: signer and PKG, messages and identities, DV-sigs. and session 
keys, designator and decryptor, verifier and encryptor. We point out however 
the reasons behind the necessity of the special requirements on the ID-KEM 
scheme: ( 1 ) The DV-Consistency of the UDVS scheme translates to the re- 
quirement on the ID-KEM scheme that if c = Enc c ((cpi, cp 2 o)> I Do; r c ) then 
Decrypt((cpi, cp2),sfe/D,c) s= Enq<((cpi, cpz), ID; r) for any ID and the corre- 
sponding secret key skm to ID. This requirement is satisfied by all Separable 
EK ID-KEM schemes, but not for general ID-KEM schemes. ( 2 ) The ID-KEM 
separability property is necessary in order that the verifier key-generation al- 
gorithm GKV does not need the signer’s public key pki — we require a UDVS 
scheme to allow verifiers to generate keys just once, not once per signer. ( 3 ) The 
ID-KEM needs to have the strong ID-OneWayness to ensure the existential DV 
unforgeability for the constructed UDVS scheme. 

Constructing an ID-KEM from a UDVS scheme. Interestingly, the above cor- 
respondence can also be used in the other direction to construct an ID-KEM 
scheme (and hence an IBE scheme) from any DV-unforgeable UDVS scheme 
which is DVSig-Unique and achieves perfect unconditional privacy. The latter 
properties are needed for the consistency of the ID-KEM construction. The ID- 
KEM construction is as follows (we let F denote the universal forgery algorithm 
associated with the UDVS scheme, which exists by Lemma 1 ). 

1. System Par. Gen. Setup. Given security parameter k, compute cp = GC(k) 
and (sk\,pk\) = GKS(cp). The system parameters are {cp. pk\). The master 
key is ( cp , ski). 

2. Secret-Key Extraction Extract. Given master key ski and identity ID, 
compute &iD = S(.ski , ID). The identity secret key is <jid- 
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3. KEM Encryption Encrypt. Given system par. ( cp,pki ), identity ID and 
random input r, compute (sfc. 3 , pfc' 3 ) = GKV(ep; r) using random input r and 
DV-sig. forgery diD, P k 3 = V(cp,pk\,skz,pkz,ID). The KEM ciphertext is 
pk$. The encapsulated key is cfin,pk 3 - 

4. Decryption Decrypt. Given system par. (cp,pk 1 ), secret key <tid corre- 
sponding to identity ID, and KEM ciphertext pk 3 , compute DV-sig. 
&'iD,pk 3 = CDVfp/cj , phn, ID, a id). The decrypted encapsulated key is 

a ID,pk 3 - 

We summarise our equivalence result in the following statement. 

Theorem 3 (Equivalence between subclasses of ID-KEM and UDVS 
Schemes). (1) Given any separable and EK ID-KEM scheme KEM = 
(Setupi, Setup2, Extract, Encrypt, Decrypt) which is consistent and achieves 
Strong ID-One-Wayness (ST-ID-OW notion), we can construct a UDVS scheme 
which is consistent and DVSig-Unique and achieves complete perfect uncondi- 
tional privacy (PR notion) and DV-unforgeability (UF-DV notion). 

(2) Conversely, given any UDVS scheme DVS = (GC, GKS, GKV, S, V, CDV, 
VDV, Pkr) (where Pkr is the direct key-reg. protocol) which is DVSig-Unique, 
consistent, and achieves complete perfect unconditional privacy (PR notion) and 
DV-unforgeability (UF-DV notion), we can construct an EK ID-KEM scheme 
KEM which is consistent and achieves Strong ID-One-Wayness (ST-ID-OW no- 
tion). 

6 Implementation Aspects and Extensions 

6.1 Practical Efficiency of UDVS Scheme DVSBM 

Currently, the only known way to construct bilinear group-pairs in which BDH is 
hard is to set Gi and G 2 to be subgroups of the group of points on certain elliptic 
curves, as described in [23,2,4,1]. As shown in [ 1 ], for such implementations it 
is possible to evaluate the bilinear map in less than 20ms on a 1GHz P-lll 
processor. Thus we believe that such potential implementations of our scheme 
are quite practical for many applications of UDVS schemes. Compared to the 
ring signature in [3], which can also function as a UDVS scheme when restricted 
to Two-Users as mentioned in Section 1.1, our scheme requires only a single 
pairing evaluation for designated verification (plus an exponentiation) whereas 
the scheme in [3] requires three pairing evaluations for this purpose. On the 
other hand, the scheme in [3] requires only two exponentiations for designation, 
which may be more efficient than the one pairing evaluation for designation in 
our scheme. 

6.2 Achieving Unforgeability against the KRA 

One may require unforgeability of DV-sigs. even against the KRA, which is a 
stronger than DV-unforgeability notion we defined. To achieve this one can re- 
place the direct key-reg. protocol that we assumed by a zero-knowledge proof 
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of knowledge of the verifier’s secret-key. For the scheme DVSBM, the Schnorr 
proof of knowledge of discrete-logs protocol [29] should suffice for this purpose, 
although we do not claim a formal proof of security for the resulting scheme. 

6.3 Communication-Efficient Selective Disclosure 
for UDVS Scheme DVSBM 

In the application of UDVS schemes to certification systems, Alice’s certificate 
may contain n statements, but Alice may wish to further protect her privacy 
by disclosing only a selected subset of r < n signed statements to Bob. This 
is easily achieved if Alice obtains a separate signature from the CA for each 
statement, but requires Alice to send (and designate) r signatures to Bob. Here 
we observe that for the scheme DVSBM, Alice can reduce the communication 
cost to only a single DV signature length (and also reduce her computation cost 
to only one designation and r — 1 group operations) by using similar techniques 

as used in [3]. Namely, given the PV signatures (ai , ay) by a signer with 

public key y\ = g* 1 on messages (mi, . . . , m r ), with a% = /i? 1 and hi = H(rtii) 
for i = 1, ...,r, a user who wishes to designate a signature on these messages 
to a verifier with public key y 3 = g* 3 , first multiplies the PV signatures to get 
a = a\ ■ ■ ■ ay, and then designates the product to get oy,, = e(y 3 , a). The verifier 
receives (mi, . . . , m r ), y\ and ay„, computes ay„ = e(Vi 3 ,h) where h = hi ■ ■ ■ h r 
and checks that ay„ = ay,, . The scheme can be proved DV-unforgeable in the 
‘aggregate signature’ sense defined in [4] by reduction from the DV-unforgeability 
of DVSBM. 

7 Conclusions and Future Work 

We introduced Universal Designated- Verifier Signature (UDVS) schemes to im- 
prove the privacy of users in certification systems while maintaining the ease 
of use of electronic certificates. We defined precise security notions for UDVS 
schemes, proposed an efficient deterministic UDVS scheme based on bilinear 
group-pairs, and proved that our scheme achieves our desired security notions 
(in the random-oracle model) , assuming the hardness of the Bilinear Diffie Hell- 
man problem for the underlying group-pair. We also showed a general relation- 
ship between UDVS schemes and ID-Based encryption schemes, and discussed 
extensions to our basic scheme. In [26], we extend this work and show how 
to construct practical randomized UDVS schemes based on the classical Diffie- 
Hellman and RSA problems, in the random-oracle model. Threshold versions of 
UDVS schemes, in which the designator or designated-verifier consist of groups 
of users, are an interesting topic for future research. Another interesting problem 
is to construct a practical UDVS scheme which is unforgeable in the standard 
computational model with respect to established cryptographic assumptions. 
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A Proofs 

A.l Proof of Theorem 2 

We first observe that DVSBM is a DVSig-Unique scheme. This follows imme- 
diately from the facts that there is only one secret key x\ £ corre- 

sponding to each signer public key y\ = gf 1 (since g\ is a generator), and 
the signing and designation algorithms are both deterministic. Secondly, we ob- 
serve that there exists an efficient universal DV signature forgery algorithm F, 
which on input (cp,yi, (x;i, y?,), to*), computes the unique DV signature a ( [ v = 
CDV(cp,yi,y3,(xs,y3),m*,S(cp,xi,m*)) with probability 1. Namely, F simply 
computes a = e(y/ 3 , h) as done by the DV verification algorithm, which is equal 
to (J d v , by the DV-Consistency property Eq. (2). The algorithm F runs in time 
If = 0(T g ■ log 2 |Gi|) + T e . We now construct the forgery strategy Ai as in the 
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proof of Lemma 1, where Ai simply runs Ai and perfectly simulates its designa- 
tion queries using F and the appropriate verifier secret keys from corresponding 
KRA queries of Ai. The run-time of Ai is the run-time ti of Ai plus the time 
Qd, ■ 0 (tp + qk) to search KRA queries and run F for each designation query of Ai. 
All other queries of Ai are simply forwarded by Ai to its oracles. This completes 
the proof. □ 

A. 2 Proof of Theorem 3 

Proof of ( 1 ). We show that the UDVS scheme DVS constructed from the given 
separable EK ID-KEM scheme KEM as in Section 5 has all the claimed proper- 
ties. 

Consistency: PV Verifiability. For any ( ski,pk \ ) = GKS(cp), we have 
that ski = {cpi,cp2,mk). So a pv = S(ski,m) = Extract((cpi, CP2), mk, to) 
is the user secret-key corresponding to user identity to and hence 
K' = Decrypt((cpi,cp2),(j pv , Enc c ((cpi,cp2),m;r)) in V is equal to K = 
Enci<((cpi, CP2), to; r) by consistency of KEM, so V returns Acc. 

Consistency: DV Verifiability. From the definition of GKV we have that 
phi = Enc c ((cpi, cp2oj, IDq\ ski), and using the Separable and EK proper- 
ties of KEM, we also have pk$ = Enc c ((cpi, CP2), to; ski) f° r any m - So since 
cr pv = S(ski,m) = Extract((cpi,cp2),mk,m) is the user secret-key corre- 
sponding to identity to, it follows from the consistency of KEM thafycr*, = 
K c ,m = Decrypt((c|?i, cpz), a pv , Enc c ((cpi, CP2), to; sfcs)) is equal to K Ctm = 
EncK((cpi, CP2), to; S/C3) so VDV returns Acc. 

DVSig- Uniqueness. Given ( cp\ . pk \ , phi . rn ) , the DV signature cr*, = 
Decryptpfci, <J pv ,pk3 is uniquely determined by (cpi . ph[ . phi, rn) since a pv is the 
secret-key corresponding to identity to and all secret-keys corresponding to a 
given identity must give identical decryptions of any given ciphertext, to satisfy 
the the consistency of KEM. 

DV-Unforgeability. Given any efficient DV-UF attacker A against DVS with 
resources (t,q s ) and non-negligible success probability Succ^yP^f/cj, we con- 
struct an efficient ST-ID-OW attacker A against KEM, which works as follows 
on input (cpi,cp2). Let I Do £ S'/d be any identity string. In Stage 1, A just 
outputs I Do as the challenge identity. In Stage 2, A is given the challenge cipher- 
text c* = Enc c ((cpi, CP2), IDo', r*) for uniformly random r* £ Sr. Then A sets 
pko = c*, pki = (cpi . cp2) and runs A on input (cpi,pki,pki). When A queries 
a message to* to its S oracle, A forwards it to its Extract oracle and returns the 
answer to A. Eventually, A outputs a forgery (m*,cr* dv ), for a new message to* 
never queried by A to be signed and hence never queried by A to Extract. Then 
A outputs (to* ,<J dv ) as its ID/decrypted-key solution pair. Since A simulated the 
view of A exactly as in a UF-DV attack, we know that, with probability at least 
SuccPpvP^fc), we have a* lv = E n c k ( cp 1 , cp-2 , rn * :r * ) , which by consistency of 
KEM is equal to Decrypt(cpi,cp2,sk m *,Enc c (cpi,cp2,m*;r*)), which in turn is 
equal to Decrypt(cpi,cp2,sk m *,c*) by the EK property of KEM, which is the 
desired output for A (here sk m * is the secret key corresponding to identity ID). 
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So A breaks ST-ID-OW with non-negligible probability SuccppyP^ffc), with 
efficient running time t, and q s extraction queries, contradicting the assumed 
ST-ID-OW security of KEM. 

Complete Unconditional Privacy. We show the existence of an efficient uni- 
versal forgery algorithm F, which on input {cpi,pki,(sk 3 ,pk 3 ),m*), computes 
the unique DV signature Odv = CDV(pfci . pk 3 , to*, S(ski , to*)) with probability 
1. The claimed complete and unconditional privacy then follows by applying 
Lemma 1. The forger F computes the forgery as in the DV verification algo- 
rithm, i.e. < 7 dv = Enc«(pfci, ra*; sk 3 ). The algorithm is efficient and is correct 
with probability 1 due to perfect consistency of KEM, as shown in the proof of 
the DV-Consistency property. 

This completes the proof of part (1). 

Proof of (2). We show that the UDVS scheme DVS constructed from the 
given separable EK ID-KEM scheme KEM as in Section 5 has all the claimed 
properties. 

Consistency. By the assumed privacy of DVS we have from Lemma 1 that 
the encrypted key K = F(cpi,pki, sk 3 ,pk 3 , ID) is equal to the decrypted key 
K' = CDV(pAq , pk 3 , ID. S(sAq -ID)) with probability 1, so KEM is consistent. 

ST-ID-OW Security. Given any efficient ST-ID-OW attacker A against KEM 
with resources (t, q E ) and non-negligible success probability ( k) , 

we construct an efficient UF-DV attacker A against DVS, which works as follows 
on input ( cp,pki,pk 3 ). First, A runs A on input cp = (cp,pk\). When A queries 
an identity IDi to its Extract oracle, A forwards it to its S oracle and returns the 
answer to A. At the end of its Stage 1, A outputs a challenge identity ID, and 
Ajre turns the ciphertext pk^ to A. At the end of Stage 2, A outputs a solution 
( ID,K '), and A outputs (ID, K') as its message/DV sig. forgery pair. Since A 
simulated the view of A exactly as in a ST-ID-OW attack, we know that, with 
probability at least A’s output is equal to decrypted key 

Decrypt (cp,sk^,pk 3 ) for ciphertext pk 3 with respect to identity ID, namely 
the unique DV Sig. o* dv = CDV(pAq , phi, ID, S(cp, ski , ID)) on message ID, 
which was not queried by A to Extract, and thus not queried by A to S. So A 
breaks UF-DV of DVS with probability Succ^e[P”OW(A;), running time t, and 
q e signature queries. This completes the proof of part (2). □ 
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